Cyber Attack Task Force - Final Report - NERC

More documents

Recommendations

Info

Appendix F: Precursors and Local Indicators of an Unusual Event • Unexpected loss of network connectivity, both internal and external • Change in sound or pitch of equipment Anomalies within Substations • Alarms associated with relays, communications processors, SCADA • Indications of physical access to equipment (tamper-proof tape on maintenance ports) • Changes to relay configurations or settings • Changes to ports/services on PCs or other equipment in substations (i.e. different from baseline) • Changes to breaker settings or configurations • Changes to RTU configurations or settings • Passwords changed or checked out outside normal change cycle • Alarms associated with devices unplugged or unauthorized devices connected to secured network (MAC addresses, switch ports normally turned down) • Loss of RTU / DCS communication to the master EMS • Change in sound or pitch of equipment Anomalies in Situational Awareness • Decrease in expected activity • Similar activity as in previous hour, 24 hours or day that does not appear to match field readings • Telemetry readings not matching schedules Communication from (RTO and/or neighboring utilities, customers) • Confirmed cyber security event at another entity • Alarms associated with RTUs at interconnect points (multiple RTUs) • Unconfirmed cyber security event • Customer calls describing outages that do not correspond with normal alarms Personnel • Multiple personnel absent due to illness • Erratic or nervous behavior • Personnel missing or present during unusual times of during the day or shift 62 Cyber Attack Task Force Report
Appendix G: Isolation and Survivability Tactics Appendix G: Isolation and Survivability Tactics None of the suggested actions should be taken without first understanding the operational or situational awareness impact Network Isolation • Disable non-essential corporate connections to Internet, including e-mail • Disable backup (dial-up or emergency) connections to Internet • Disable connections with business partners (point-to-point connections and site-to-site VPNs) • Disable remote access (dial-up, and client VPN) connectivity connections to internet • Remove inbound connectivity to critical networks from corporate or business networks • Remove outbound connectivity from critical networks to corporate or business networks to prevent further propagation Operational Isolation • Disable AGC and operate using local generator control • Disable SCADA and Communications networks from Substations and Generation facilities • Disable communications from Communications Processors in Substations from Intelligent Electronic Devices (IEDs) such as relays. • Disconnect relays from breakers • Islanding • Under Frequency Load Shedding Cyber Attack Task Force Report 63
Page 1 and 2:
Cyber Attack Task Force Final Repor
Page 3 and 4:
Table of Contents Table of Contents
Page 5:
Denial of Service - EMS application
Page 8 and 9:
Executive Summary Defining a Coordi
Page 10 and 11:
Executive Summary Key Recommendatio
Page 13 and 14:
Executive Summary Introduction A hi
Page 15 and 16:
Adversaries, Motivations, and Capab
Page 17 and 18:
Adversaries, Motivations, and Capab
Page 19 and 20:
Low Level Threat Criminals, Hackers
Page 21 and 22:
Cyber Threat Group Foreign State Na
Page 23 and 24: What a Coordinated Attack Looks Lik
Page 25 and 26: Expanding each of the two events: S
Page 27 and 28: Detection Capabilities Global Monit
Page 29 and 30: Detection Capabilities Appendix F c
Page 31 and 32: Defensive Capabilities / Deterrence
Page 33 and 34: For example: Defensive Capabilities
Page 39 and 40: Responses to Attack Responses to At
Page 41 and 42: Responses to Attack staff to locati
Page 43: Responses to Attack Entities that u
Page 46 and 47: Recommendations • Continue to dev
Page 48 and 49: Recommendations node attack. At a m
Page 50 and 51: Outreach Outreach Outreach is an im
Page 52 and 53: References References Name Link DOE
Page 54 and 55: References NERC CATF Roster - Contr
Page 56 and 57: Appendix A: Introduction to Attack
Page 58 and 59: Appendix B: Resources Appendix B: R
Page 60 and 61: Appendix C: Cyber Event Scenarios f
Page 66 and 67: Appendix D: Acronyms Appendix D: Ac
Page 69 and 70: Appendix E: Potential Responses to
Page 71 and 72: Appendix E: Potential Responses to
Page 73: Appendix F: Precursors and Local In
Page 78 and 79: Appendix H: Defensive Capabilities
Page 80 and 81: Appendix I: CRPA Observations and R
Page 82 and 83: Appendix I: CRPA Observations and R
Page 84 and 85: Appendix J: Case Studies to underst
Page 86 and 87: Appendix J: Case Studies Lateral Mo
Page 88: Appendix K: Task Force Goals and Ob
show all

Cyber Attack Task Force - Final Report - NERC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?