Cyber Attack Task Force - Final Report - NERC

More documents

Recommendations

Info

Appendix I: CRPA Observations and Recommendations Observation 8 - Despite the number of public displays of system compromise in recent years, combined with well-known cyber incidents impacting the energy sector, some individual participants remain skeptical about the possibility of a successful cyber attack on their own critical cyber assets, and as an extension, of the BPS cyber infrastructure itself. Participants did concede, however, that participating in scenario-driven exercises that used non-fictitious elements (cyber attack) to force them to test traditional response activities was very useful. Recommendation 8 - As the threat and risk landscape can change quickly, entities are encouraged to incorporate specific intelligence about their operations into their planning and training agenda. In addition, as part of the risk assessment process, entities could extend their activities to determine actual and plausible threats against their cyber infrastructure and use that data to populate their exercise and training curricula. Training activities for SCADA/EMS operators should be expanded to include general cybersecurity training to all EMS/SCADA IT, Electric System Operations, Corporate IT, and IRT training regimens.
Appendix J: Case Studies Appendix J: Case Studies Breaking Air Gap Myths About Control System Inaccessibility - Stuxnet Just because there is an “air gap” doesn’t mean a control system is inaccessible to adversaries. Stuxnet is a great example. A USB thumb drive can be transported from an infected host machine and inserted into the target network that is air-gapped. Then stuxnet can propogate on the local target network via multiple exploits. That propagation results in forming a hostile Peer to Peer (P2P) network which operates on the probability of finding resident hosts with indirect or direct internet accessibility. It then utilizes these hosts to establish an indirect Command and Control (C2) bridge for hostile control. In sum, USB served as not only the delivery mechanism but also to establish a network of hostile P2P relationships within the target network. Another Example, Breaking Air Gap Myths About Control System Inaccessibility – Buckshot Yankee SIPRNET is Department of Defense’s (DoD) Secret-level network. This network is commonly perceived as completely air-gapped, yet in 2010 Deputy Defense Secretary William Lynn publicly disclosed a 2008 worm infestation on the network. The DoD response to this infestation was called Buckshot Yankee. Also in 2010, well-known former counter terrorism official Richard Clarke released a book entitled “Cyber War.” Clarke gave a more detailed account of Buckshot Yankee. The delivery mechanism was USB insertion, much like stuxnet, but its C2 method was novel. Instead of P2P C2, Buckshot Yankee relied on sneaker-net C2. The infected thumb drive payload carried not only the malware worm but also a data file. This data contained requests and responses which serve as a C2 channel to the next internet connected devices the USB is inserted into. The result: USB creation of an effective hostile sneaker-net C2 channel across the perceived air gap which “secures” the target network. The bottom line: USB established a delivery mechanism within an air-gapped network and then sneaker-net connectivity enabled by repeated usage of USB devices between both air-gapped and non-airgapped networks. TAKE AWAY, what these examples say about Cyber Attack awareness… Techniques such as utilizing USB devices as delivery mechanisms to enable hostile penetration of targeted “secure” control networks is widely known. Approaches of establishing hostile C2 channels across the gap using techniques such as P2P or sneaker-nets are less well known. Techniques like these mean that defensive measures limited to reliance on air gaps need to be evaluated skeptically. Other advanced and novel means of hostile penetration, and the means to offer effective layered defense against them, must be considered to achieve true control network and device security and true risk management. These observations point towards integrated consideration of policies, procedures, system design, operational approaches, intrusion detection, anomaly, monitoring and awareness technologies which deliver a capability Cyber Attack Task Force Report 71
Page 1 and 2:
Cyber Attack Task Force Final Repor
Page 3 and 4:
Table of Contents Table of Contents
Page 5:
Denial of Service - EMS application
Page 8 and 9:
Executive Summary Defining a Coordi
Page 10 and 11:
Executive Summary Key Recommendatio
Page 13 and 14:
Executive Summary Introduction A hi
Page 15 and 16:
Adversaries, Motivations, and Capab
Page 17 and 18:
Adversaries, Motivations, and Capab
Page 19 and 20:
Low Level Threat Criminals, Hackers
Page 21 and 22:
Cyber Threat Group Foreign State Na
Page 23 and 24:
What a Coordinated Attack Looks Lik
Page 25 and 26:
Expanding each of the two events: S
Page 27 and 28:
Detection Capabilities Global Monit
Page 29 and 30:
Detection Capabilities Appendix F c
Page 31 and 32: Defensive Capabilities / Deterrence
Page 33 and 34: For example: Defensive Capabilities
Page 39 and 40: Responses to Attack Responses to At
Page 41 and 42: Responses to Attack staff to locati
Page 43: Responses to Attack Entities that u
Page 46 and 47: Recommendations • Continue to dev
Page 48 and 49: Recommendations node attack. At a m
Page 50 and 51: Outreach Outreach Outreach is an im
Page 52 and 53: References References Name Link DOE
Page 54 and 55: References NERC CATF Roster - Contr
Page 56 and 57: Appendix A: Introduction to Attack
Page 58 and 59: Appendix B: Resources Appendix B: R
Page 60 and 61: Appendix C: Cyber Event Scenarios f
Page 66 and 67: Appendix D: Acronyms Appendix D: Ac
Page 69 and 70: Appendix E: Potential Responses to
Page 71 and 72: Appendix E: Potential Responses to
Page 73 and 74: Appendix F: Precursors and Local In
Page 75: Appendix G: Isolation and Survivabi
Page 78 and 79: Appendix H: Defensive Capabilities
Page 80 and 81: Appendix I: CRPA Observations and R
Page 84 and 85: Appendix J: Case Studies to underst
Page 86 and 87: Appendix J: Case Studies Lateral Mo
Page 88: Appendix K: Task Force Goals and Ob
show all

Cyber Attack Task Force - Final Report - NERC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?