Securing the Grid. Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC

1 Securing the Grid Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC February 27, 2012

NIST and the SGIP 2.0 Cybersecurity Committee Marianne Swanson, Chair SGCC Information Technology Laboratory National Institute of Standards and Technology 2

Smart Grid Cybersecurity Committee Background To address the cross-cutting issue of cybersecurity, NIST established the Cyber Security Coordination Task Group (CSCTG) in March 2009. Moved under the NIST Smart Grid Interoperability Panel (SGIP) as a standing working group and was renamed the Cyber Security Working Group (CSWG). As the SGIP transitions to SGIP 2.0, the group was renamed the Smart Grid Cybersecurity Committee (SGCC).

Guidelines for Smart Grid Cyber Security NIST Interagency Report 7628 - August 2010 Development of the document lead by NIST Represents significant coordination among Federal agencies Private sector Regulators Academics

Cybersecurity Committee Active Sub-groups and Leads Architecture Group Elizabeth Sisley Cloud Computing and Smart Grid Marianne Swanson High-Level Requirements Group Dave Dalva & Victoria Yan Pillitteri NISTIR 7628 Users Guide Group Chris Rosen & Mark Ellison Privacy Group Rebecca Herold Standards Group Frances Cleveland

Additional Projects Partnering with Department of Energy and Oak Ridge National Laboratory to test the AMI Upgradeability Standard Developing a Smart Grid Cybersecurity Test bed at NIST Executive Order: Improving Critical Infrastructure Cybersecurity

Potential Future Work Security Content Automation Protocol (SCAP) extension to cover cyber-physical systems Research in lightweight, low-power cryptography Identity management Collaboration with Brazil Inmetro on developing additional AMI security failure scenarios Collaboration with DOE on Smart Grid supply chain security issues

Learning More and Getting Involved Learn more about the SGCC at: http://collaborate.nist.gov/twikisggrid/bin/view/smartgrid/cybersecurityctg Learn more about the subgroups, including meeting times: http://collaborate.nist.gov/twikisggrid/bin/view/smartgrid/workinggroupinfo To learn more about SGIP 2.0 and join, visit: http://sgip.org/ Download NISTIR 7628 at: http://csrc.nist.gov/publications/pubsnistirs.html#nist- IR-7628

Contact Information For any questions or comments, please contact Marianne Swanson, SGCC Chair, at marianne.swanson@nist.gov

10 Securing the Grid: OE s Smart Grid Cybersecurity Efforts Akhlesh Kaushiva U.S. Department of Energy Office of Electricity Delivery and Energy Reliability

The American Recovery and Reinvestment Reinvestment Act of 2009 Programs created by statute: American Recovery and Reinvestment Act of 2009 $3.4 billion - Smart Grid Investment Grants (SGIG)* $620 million - Smart Grid Regional Demonstrations (SGDP)* $100 million - Workforce Training $80 million - Interconnection-wide Transmission Planning and Resource Analysis $12 million - Interoperability Standards Additional OE Recovery Act Initiatives: $44 million-technical Assistance to States $10 million-local Energy Assurance Planning One-time Appropriation $4.5B in Recovery Act funds Smart Grid Workforce Interoperability Training Standards Workforce Training Investment Grants Investment Grants Smart Grid Interoperability Standards Resource Assessment & Transmission Planning Other Resource Assessment & Transmission Planning Other Amounts are in billion US Dollars *Originally authorized by the Energy Infrastructure Security Act 2007, EISA 1306 and EISA 1304 Smart Grid Demos Smart Grid Demos

Total Funds 2015 Installations Expected Benefit Transmission $580 million Distribution $1.96 billion AMI $3.96 billion Customer Systems $1.33 billion > 800 phasor measurement units ~7,500 automated switches ~18,500 automated capacitors >15.5 million smart meters ~222,000 direct control devices ~192,000 thermostats ~7,000 in-home displays Real-time voltage and frequency fluctuations visible across the system Outage management and VAR control Operational savings: fewer truck rolls, automated readings Increased customer control; reduced peak demand

Smart Grid Investment Grant (SGIG) Program Objectives Accelerate deployment of smart grid technologies across the transmission and distribution system and empower consumers with information so they can better manage their electricity consumption and costs Measure the impacts and benefits of smart grid technologies to reduce uncertainty for decision makers and attract additional capital and further advance grid modernization Accelerate the development and deployment of effective cybersecurity protections for smart grid technologies and systems

Foundation for SGIG Cybersecurity ARRA Objectives Maintain capability for timely detection and response Mitigate consequences of a cyber event Correct known/exploited vulnerabilities Restore affected systems, networks, and equipment Guiding Principles Define outcomes for security but don t dictate approach Provide national lab expertise to assist recipients Leverage federal resources and tools Encourage learning through peer-to-peer exchanges

15 SGIG/SGDP Cybersecurity Process Prepare Cyber Security Plan (recipient)/ Approve Plan (DOE) Provide Expert Cyber Security Resources 2011 2012 Conduct Site Visits Conduct Smart Grid Cyber Security Information Exchange (peer-to-peer) Sustain Utility Cyber Security Programs (post-sgig)

Smart Grid Cybersecurity Milestones 99 Cybersecurity Plans developed and approved by DOE Nearly 100 site visits completed in 2011; 102 site visits completed in 2012 2 Smart Grid Cybersecurity Information Exchanges held: August 2011 and December 2012 Smart Grid Cybersecurity Resource Tool developed and distributed Secure website www.arrasmartgridcyber.net developed for ARRA recipients Two cybersecurity webinars conducted by PNNL Electricity Subsector Cybersecurity Capability Maturity Model developed and piloted at 17 utilities

17 Two Key Tools to Strengthen Cybersecurity Recipient Site Visits Cyber security experts made more than 100 onsite visits in each 2011 and 2012 to evaluate Cybersecurity Plan implementation Smart Grid Cybersecurity Information Exchanges Held two workshops designed to foster direct peer-to-peer exchange of best practices and lessons learned

Site Visit Objectives Ensure adequacy of planning and implementation and evaluate progress for a successful installation. Evidence Lessons Learned Primary focus: review of demonstrable evidence that the Cybersecurity Plan is being implemented as approved by DOE Capture best practices, implementation challenges, and lessons learned that may be shared with others Support Provide support to projects on cyber security issues and concerns

Recommendations: Organizational Accountability 1. Have well-defined chain of accountability with clearly defined roles and responsibilities 2. Establish organizational requirements for the creation, collection, retention, and ongoing review (by management, staff, contractors) of demonstrable evidence of cybersecurity responsibilities, capabilities, and performance 3. Apply evidence-based cybersecurity review and improvement processes throughout the project lifecycle 4. Conduct regular meetings between management and cybersecurity experts to show direct support and accountability 5. Continue to focus on the execution and continual improvement of your evidence-based cybersecurity program 19

Recommendations: Risk and Vulnerability Assessment 1. Execute risk, vulnerability, and mitigation processes and periodically review for changes 2. Pay particular attention to external connections, interconnection between different vendors systems, third party service providers, etc. 3. Disable unneeded services and/or connectivity 4. Understand gaps in the Cyber Security Plan (CSP) and identify required actions to implement additional security controls, as appropriate 5. Follow published industry and government cybersecurity standards 6. Follow best practices for physical security 7. Perform periodic assessments and implement a process to retain an appropriately-protected record of assessment findings and conclusions, mitigating actions that were recommended, and mitigating actions that were taken 8. Conduct annual reviews (internal or third party) of CSP implementation that is based on evidence 20

Recommendations: Protection, Response, & Recovery 1. Have a Cybersecurity Incident Response Team for cyber events 2. Incident response and recovery strategy should include a comparative review of logs and reports prior to mitigation with those after mitigation 3. Limit vendor connectivity to critical systems 4. Identify backup processes for use in the event that automation or patching creates operational problems 5. Limit connections to operational systems as read only if practical 6. Focus on implementing resilient infrastructure that can anticipate, absorb, adapt to, and/or rapidly recover from a disruptive event 7. Generate demonstrable evidence of your capability and performance in all aspects of protection, response, and recovery, 8. Periodic reviews, changes to policies or procedures, and changes to the CSP should be documented and evidence-based 21

Smart Grid Cybersecurity Information Exchange Exchange best practices Share site visit lessons learned Present new cyber solutions Identify gaps and needs Facilitate information sharing and lessons learned among ARRA grant recipients Share the experience and lessons learned from the SGIG site visits Present new information on cybersecurity tools and solutions for the smart grid Identify the cybersecurity needs and information gaps in deploying smart grid

Selected Gaps and Needs (2011) Standard taxonomy for logging & reporting cyber events Tools for testing security posture for technology that is not common Set of system management tools Trusted, secure communications standards for devices Independent evaluation of various AMI vendors' security features Prioritized list for getting started on addressing security issues Best practices in securing SCADA traffic end-to-end

The Smart Grid Cybersecurity Resource Tool identified available government and industry resources and tools for 28 priorities identified by recipients.

www.arrasmartgridcyber.net SGIG & SGDP Online Information Resource for Cyber Security Resources Training Webinars Forums SGIP Spring Face-to-Face Meeting, March 29-31, 2011

26 Additional Cybersecurity Roles and Resources of OE The Cybersecurity for Energy Delivery Systems (CEDS) R&D program invests in next-generation cybersecurity solutions for energy delivery systems. Vulnerability assessments of commercial vendor systems conducted at the National SCADA Test Bed (NSTB) National Electric Sector Cybersecurity Organization (NESCO), a sustainable public-private partnership, supports sector incident management and response. Risk Management Process (RMP) guideline, developed by OE, NIST, and NERC, helps users apply and tailor effective risk management processes. OE facilitates utilities in implementing the Electricity Sector Cybersecurity Capability Maturity Model (ES-C2M2), which helps grid operators assess their cybersecurity capabilities and prioritize cyber investments and actions.

27 Electricity Subsector Cybersecurity Capability Maturity Model White House initiative with DHS and industry and cybersecurity experts to enable electric utilities and grid operators to: Assess their cybersecurity capabilities using a common tool Prioritize their actions and investments to improve cybersecurity

Lisa Kaiser, DHS 28

29 Federal Energy Regulatory Commission Office of Energy Infrastructure Security IEEE Innovative Smart Grid Technologies Conference Securing the Grid 27 February 2013

30 Disclaimer The opinions presented herein represent the personal opinions of Leonard Chamberlin and do not necessarily represent the opinion or decisions of the Federal Energy Regulatory Commission or the Federal Government.

31 Cyber Security and FERC Energy Policy Act of 2005 Gave the Commission the responsibility to oversee mandatory, enforceable reliability standards for the BPS. Section 215 of the Federal Power Act The Commission may certify an Electric Reliability Organization (ERO) that is responsible for proposing reliability standards to help protect and improve the reliability of the BPS. The Commission certified NERC as the ERO. The Commission does not have the authority to modify or author a standard. The Critical Infrastructure Protection (CIP) standards were first received from NERC in late 2006. Version 3 currently in effect. Version 4 effective date of April 1, 2014. The Commission s reliability jurisdiction is limited to the BPS, as defined in the Federal Power Act. Note: much of the smart grid equipment will be installed on distribution systems outside of the Commission s Federal Power Act jurisdiction.

32 FERC Areas of Activity Electricity Oversight of mandatory reliability standards for the BPS ONG Oil & Natural Gas Regulation of oil & natural gas pipelines LNG Liquefied Natural Gas Ensures the safe operation and reliability of proposed and operating LNG terminals Hydro Conducts oversight of operations, including dam safety inspections This is not a complete list! Only the Electric industry currently has mandatory and enforceable cyber security standards

33 OEIS Why the Office Was Created Security threats are fast-moving, complicated and targeted at Critical Infrastructure Threats are increasing in frequency, sophistication, and intensity: Aurora (2007) Stuxnet (2010) Duqu (2011) Wiper (2012) Flame (2012) Shamoon (2012) Telvent (2012) Natural and man-made non-cyber threats are of increasing concern

34 OEIS Mission Concentrates FERC s physical and cyber security expertise within one office. Provides assistance to FERC in conducting its statutory duties regarding cyber and physical security issues. Is not responsible for Commission orders or enforcement actions. Finds vulnerabilities and solutions affecting Commission jurisdictional infrastructures. Collaborates with the infrastructure owners/operators. Collaborates with other regulatory and government authorities (on a national and state level). Participates in the identification of physical and cyber security threats to Commission jurisdictional facilities. Identifies mitigation strategies to address physical and cyber security threats to Commission jurisdictional facilities.

35 What OEIS Does Not Do Compliance OER will continue to perform this role. OEIS staff will continue to provide technical expertise to other offices at the Commission, but are not involved with any compliance or regulatory functions. Similar to the way in which NERC ES-ISAC operates, entities can share information with OEIS without worrying about compliance. Although we are still going to suggest that you self-report! Also note this is an example FERC is NOT establishing an ISAC.

36 OEIS Outreach Other federal agencies DOE, DHS, FBI, NSA, NRC, FCC, etc. State agencies NARUC, State PUCs, other state-level agencies ISACs ES-ISAC, MS-ISAC Vendors FERC cannot endorse any particular vendor or product Utilities International

37 Sample Deliverables/Products for OEIS Develop an industry CEO Checklist Assist DOD & others with modeling efforts Provide technical input to NRC on its Inspection Manual Respond to requests for assistance Evaluate physical and cyber security best practices for Commission regulated entities Participate in cross sector threat analysis Provide Subject Matter Expertise to support Commission offices

38 Concluding Thoughts Technology is great, but often the failure is the human connection Education of current threats and vulnerabilities is a continuing process Think outside of the box how would you take down your own system? Reporting of incidents Example: Only one tenth of 1% of registered entities are currently reporting copper thefts. INL Red Team / Blue Team Training Get involved w/ ISACs, ICS-CERT, US-CERT, InfraGard

39 Contact Info Leonard M. Chamberlin III Federal Energy Regulatory Commission Office of Energy Infrastructure Security 301.665.1392 leonard.chamberlin@ferc.gov

A NERC Perspective Brian M. Harrell, CPP February 27, 2013 IEEE Innovative Smart Grid Technologies Conference

Largest machine in the world The North American power grid includes 3 Major Interconnects, 8 Regions, 135 Balancing Authorities and: more than 5,000 companies more than 160,000 miles of high-voltage transmission lines more than 1,000,000 miles of distribution lines representing more than $1 Trillion in assets. with areal time capacity more than 4B kilowatt hours (KWh) delivering electricity to more than 334 Million people who spend more than $365 Billion per year for electricity

Importance of Bulk Power System Electricity is arguably the most critical of all critical infrastructures in North America. As important to modern civilization as water was to ancient Rome impossible to calculate our dependency on electricity. An extended loss of electricity could result in unprecedented human suffering, economic devastation and profound gaps in national security.

43 Power grid threatened

You only report what you know about. What don t we know about?

Cybersecurity challenges 1. All networks are contested territory BELIEVE IT! Lack of vivid nature of the risk Cyber risks are dynamic and still largely unknown 2. Are we protecting the correct assets properly? 3. Is funding appropriate to mitigate cyber-risk? Both unfunded mandates and mandates with cost-recovery 4. Understanding that compliance rarely leads to good security, but good security almost always leads to compliance. 5. 100% risk-free security environments DO NOT exist

Security vs Compliance NERC is a compliance organization our organization is part of NERC However our goal is to use compliance with CIP Standards to help improve security for the electricity industry

CIP Standards CIP-002 Cyber Asset Identification CIP-003 Security Management Controls CIP-004 Personnel & Training CIP-005 Electronic Security Perimeters CIP-006 Physical Security of Critical Cyber Assets CIP-007 Systems Security Management CIP-008 Incident Reporting and Response Planning CIP-009 Recovery Plans for Critical Cyber Assets

Risk Management Program

High Impact Low Frequency Report Strategic direction, coordinated action Vision Goals Risk Priorities Scenariobased Approach Coordinated Action Plan

Smart Grid impact on the BPS Aggregates end-points and forces BPS planners and operators to take actions based on the behavior of the many customers loads. Increases potential attack surface and vulnerability vectors on both distribution system and the bulk power system. Apply security lessons from the past 40 years Opportunity to build security in make security an integral part of the smart grid