Utility Commission Of Texas PDF Free Download

2y ago

20 Views

1 Downloads

2.90 MB

50 Pages

Report/dmca

Download PDF

Transcription

traditional focus in operations has been more on physical security in the form of "guns, guardsand gates." Security testing and auditing has been more commonplace in IT so it more maturethan it is in energy operations where outage testing has been the main focus.Physical security is something that IT-centric facilities have had enough time to master.Keeping a data center secure is of primary importance, so it is quite obvious that it must belocked down tight. Security systems are robust - cameras and sensors are omnipresent and theareas are heavily trafficked, providing many witnesses; personnel tend to know who belongsand who does not. In energy operations, though, many facilities and the systems they containtend to be remotely located and unmanned, making them subject to incursion, vandalism, andtheft.Table 3 illustrates the differences between the operational and maintenance requirements of ITsystems versus Control Systems.67. - . u. . .Common/wide(y used. I 14 .Uncommon/impossible todeploy3-5 yearsUp to 20 yearsCommon/widely usedRegular/scheduledRegular/scheduledGenerally, delaysacceptedGenerally, delaysacceptedGoodScheduled & MandatedSecureRarely usedSlow (vendor specific)RareCritical, due to safety24 X 7 X 365, foreverPoor, except for physicalOccasional testing for outagesRemote and unmannedTable 3: Information Technology vs. Control Systems67 Patrick Miller, NESCO, NARUC Cyber Security Training, Indianapolis, IN; December 1, 2011.Electric Grid Gybersecurity in Texas,.Public Utility Commission of Texas

i rEf;x.wE KE .("" i "t4WFB' EM4 f -.j GVI'EAN.EE.55s.FE4M!Ki 1Uc{ ) !l mi w carr r .J- . ltr. -- scvwar;srRr:n- r -i7 . .,. OG rWV L (. i ' wzc nr.c.e.,.y.„ 41tMSEF E Y1.Y.m. Clftt .GNUaCe' CE%.,.r.CFSKQPI Uamn.n.Damon MMd wr. ,,.v.,.i So.w.50{ Sxrw 4n1/.c.mef 6G5 xJe912Y1IX17Er an Qe ISeroa J', .y,w . , Figure 13: Example of a typical IT network.Figure 13 depicts a simplified version of a typical IT-only network. Most devices on the networkare servers or networking equipment.6869 Source: 10/network-diagram.jpg .Electric Grid Cybersecurity in Texas40 Public Utility Commission of Texas

MW. «oseSCADANetwork.I.caftwmw." «Oan,.SOFV"FieldDevicesLocal eny"Figure 14: Simplified Example of Electric Utility Control System Network,Source: ure 14 shows a simplified example of an electric utility's control system network.69 Thecloud in the upper left labeled "Corporate LAN" is a typical IT-only network, as seen in Figure13. This diagram differs in that it also has representations of field devices such as PLCs, RTUs,70and IEDs" on a segregated SCADA network. Some of these field devices sense things in thephysical domain (providing sensory inputs), while others perform computational functions, andthe remaining devices direct equipment to perform physical actions.Rather than employing existing standard security practices that are put in place to protect theIT infrastructure of the business portion of an enterprise, these practices must be altered toaccommodate the unique characteristics of the electrical infrastructure and tailored so thatthey will not cause a disruption in energy operations.69 Source: http://eioc.pnnl.gov/research/cybersecurity.stm .70 Remote Terminal Unit.71 Intelligent Electronic Device.Electric Grid Gy/bersecurity in TexasPublic Utility Commission of Texas

Challenge: Cultural Differences between IT and OTAnother challenge of implementing cybersecurity in utilities is related to the industry's culture.Utility operations have traditionally been dominated by engineers, who are educated andtrained to understand the underlying science behind electricity, as well as the systems andinstrumentation used to measure, control, and direct it. Over the years, the engineeringenvironment has incorporated an increasing amount of computer systems, and work processeshave also been adapted to accommodate the use of IT. Many utility operations people typicallyhave years of experience in the field, many having come into the industry at some point duringthe 1970s or 1980s with long tenure at the same utility.It has been widely acknowledged in the United States that qualified engineers are increasinglydifficult to come by. Finding the kind of engineers that either already have or would developspecialized knowledge to potentially become a utility operator is arguably even more difficult.Students of the past few decades have had a diminished interest in pursuing science- andengineering-based courses of study, while other career paths generally have become moreattractive to them. Exacerbating the problem is the fact that many utilities typically havefacilities scattered across rural territories that are sparsely populated. A graduating studentpursuing employment would likely be required to relocate to such an area or commute longdistances, which may be a deterrent to accepting a job offer.Information Technology, on the other hand, has a broader appeal, as evidenced by increasedstudent enrollments in college IT and Computer Science programs over the past two decades.IT has become more pervasive in general, thereby offering what has been perceived by newstudents as more opportunities upon graduation. Further, web-based technologies haveenabled the workforce to be more mobile - not just for the users of the technology, but forthose who create it. A programmer can relocate to a community which he thinks is his mostdesired place to live and then work remotely. In many cases, an IT worker can eventelecommute and work from his home. An IT worker has many choices compared to a typicalutility worker. Therefore, the tenure of a typical IT staff member at any given company isrelatively short and IT staff turnover at firms is rather high.The distinctions between the OT and IT workforces are important to note, because as OTcontinues to automate, it is taking on more of the characteristics of IT. As a result of thisconvergence, management at utilities leans on their IT staffs for support in functions that wouldbe ideally handled by someone with operational (i.e. OT) knowledge and experience. Theproblem with this is that IT staffers tend to be computer-focused in approach and do notpossess the understanding of real-world processes that an engineer would have. Further,whereas IT security has developed in conjunction with business process automation over thepast couple decades, OT Security is a relatively new concept. Solutions devised for an ITElectric Grid Gy/bersecurity in Texas/Public Utility Commission of Texas

environment cannot just be plugged into the OT environment without the possibility of adverseconsequences.Challenge: Security versus ComplianceWhen it comes to security considerations, the threat of fines that may be imposed upon utilitiesby NERC for noncompliance with its CIP standards can potentially take center stage in a dialogabout security. This is only natural since fines can be readily defined in terms of dollars takenfrom the company's bottom line; money is the lingua franca of all business functions.One of the primary goals of the PUC is to ensure that the grid remains safe and reliable. Toaccomplish this goal, commission Staff encourages utilities to promote a culture of security.The PUC is aware that one of the traps that a utility can fall into is having a mindset that isfocused more on compliance than on security, in which the utility is doing the minimumnecessary to meet an audit or to achieve regulatory compliance. In contrast, the pursuit ofsecurity is doing what is necessary, often within the compliance or audit structure, to reduceBeing able torisk to an acceptable level as defined by the requirements of the business.discern the difference is important because mandating a compliance-based approach can beviewed as only an interim step that comes with the caveat that this alone may not save onefrom an attack.Once the tenets of security are wholly embraced by an organization, compliance will followmore easily. One must avoid the notion that security can be merely "bolted on" rather than"built-in" to the organizational culture, just as the concept applies to any equipment that autility may want to acquire. The topic of capital equipment procurement will be discussed in asubsequent section of this report.Staff also encourages utilities to consider looking into the possibility of acquiring compliancereporting automation solutions to lessen the administrative burden of NERC CIP audits. Thatway, instead of committing substantial resources to dealing with the paperwork associated withdemonstrating compliance, utilities' subject matter experts can instead concentrate on theirsecurity activities.Electric Grid Cy6ersecurity in Texas,,Public Utility Commission of Texas

Roles: Who Is Protecting Us?Figure 15 shows the many federal legislative committees and agencies of the executive branchthat are involved in cybersecurity for the electric sector.72Ymite HDVSEConqessHOu5 tWnOSecurrtYDepaRn401 ofEnergrFeGerat EnergyReqJaioryCorrmr sunHouse Energy8 CommerceIHoase&pectCOMM" OnINall0na11nGtSeutWreAO SOry COUnNIMEII1qenCeSenate Homelano5![U ilf 8Deparenln7of .ommerCe., r y ' . . . !34nate Eneqy &Naarat Resourc4sICS-CERTNESC6tEnerqr5ec;SFnm4Comterc4,S ienca 6Home landSewZ). Infirmapon N4l MESCOR(E FR QTranSppnAdOn Senate Select' Eiecxa9ectorCafenRe40n nI@Ulqerket00rAniGnq GO unPr -'"SmanGntlIntarope aoiatv){CYDrAqackTaSh FOrce. ,.SeverelmpattRestlencepareD d5k FOrf!OenrnaqneAcLOWi'" „z / { Naeonat "but of {antlYtlS 8 TeEMqlOqyNiGonat lah67V S tERTOmemmeMM'art9NOManencanErectrrcRe h4tM corporaponES rS4C nskl)D151UtGanceTas.,, ki0f[ V.5 ter1 Vnite6 Stabas tarptlfer EmerqencY Rladn45s T4imIC5 CERT S-1SnC Erec rcSettoe IMOm -aton haenqand tnatrsM CenterNESCO N atrona l Eteceic S e cSm CWerae o drY Or q anrtationNESCOR - National Ete tnr SettOr CyDerSenXRp CkqanRaGon ReSOUr[eFigure 15: Organizations supporting smart grid and cybersecurityNational Security and Law Enforcement: Information SharingStaff has been working to strengthen ties with various security and law enforcement entitieswith the goal of helping utilities protect themselves against deliberate attacks, industrialespionage and other disruptive or malicious activities. This section describes these agencies,their activities, and the resources they make available.72 Credit: "National Institute of Standards and Technology Smart Grid Advisory Committee Report," http://www.nist.gov/smartgrid/uploa d/N IST SGAC Fi nal Recom mendations Report 3-0512 with Attachments. pdf .Electric Grid Gy bersecurity in Texas.ePublic Utility Commission of Texas

Department of Homeland Security (DHS)DHS is a cabinet department of the federal government with the primaryresponsibility of protecting the U.S. and its territories from terroristattacks, man-made accidents and natural disasters, and to respond tothose emergency events. Unlike the Department of Defense, which ischarged with military actions abroad, DHS works in the civilian realm toprotect the U.S., primarily from within or at its borders. DHS hasdeveloped an array of products and services to help secure the country'sinfrastructure, and many cybersecurity-related resources are among whatis offered. These are detailed below.United States Computer Emergency Readiness Team (US-CERT)The National Cyber Security Division (NCSD) of DHS has an operational arm named the UnitedStates Computer Emergency Readiness Team (US-CERT)73 that collaborates with state and localUS-CERT disseminates reasoned andgovernment, industry and international partners.actionable cybersecurity information through its web site, mailing lists and RSS channels. USCERT also provides a way for citizens, businesses and other institutions to communicate andcoordinate directly with the U.S. government about cybersecurity issues.Control Systems Security Program (CSSP) and Idaho National Laboratory (INL)A service within US-CERT is the Control Systems Security Program (CSSP),74 which offers trainingcourses and workshops at various industry association events such as cybersecurityconferences. These courses provide up-to-date information on cyber threats and mitigationsfor vulnerabilities. The CSSP's goal is to reduce industrial control system risks within and acrossall critical infrastructure and key resource (CI/KR) sectors by coordinating efforts among federal,state, local and tribal governments as well as industrial control systems owners, operators andvendors. The CSSP directs activities to reduce the likelihood of success and the severity ofimpact of a cyber-attack against critical infrastructure control systemsthrough risk mitigation activities. For example, if an asset owner suspectsthat its system has been infiltrated, it can request that CSSP, operating inconjunction with INL, to dispatch a "flyaway team" which will assess thesystem and provide analysis on whether the system has truly beencompromised. The team will also provide actionable guidance to assist1:373 http://www.us-cert.gov/ .74 http://www.us-cert.gov/control systems/ .Electric Grid Cybersecurity in TexasPublic Utility Commission of Texas

the asset owner in mitigating the threat and give advice on how to maintain a secure systemgoing forward. INL is also home of the NSTB 75 which offers several training classes including theAdvanced SCADA Security Red/Blue Team training, a 5-day hands-on course. Staff has takenthis course and found it to be worthwhile. Staff also advocates that cybersecurity practitionersand those who work in energy delivery operations support roles including utility personnel whoeither program SCADA or whose responsibility is to secure the IT or OT infrastructure of a utilityparticipate in the exercises.The NSTB program contracted Energetics Incorporated to produce a weekly document called"Current Situation: Energy Delivery Systems Security," which is intended to provideorganizations with a compilation and summary of open-source news and publicationspertaining to energy delivery systems cybersecurity.Cyber Storm ExercisesIn fall 2010, DHS conducted Cyber Storm III76 which is an exercise that was a part of theagency's continuing efforts to assess and strengthen cyber preparedness. The exercise wasused to examine incident response processes that address ongoing threats and was intended tohelp enhance information sharing among federal, state, international and private sectorpartners.Cyber Storm exercises have been a biannual series used to simulate large-scale cyber eventsand attacks on the government and the nation's critical infrastructure and key resources(CI/KR). They are held to measure the collective cyber preparedness and response capabilitiesagainst credible and realistic events at the national level. Cyber Storm III included thousands ofplayers across government and industry and more than 1,500 injects of data that keptparticipants on their toes. Utility involvement in the Cyberstorm III exercise was limited. Someutilities were busy preparing for NERC CIP compliance audits and could not dedicate resourcesto the exercise. The outreach to utilities on the part of DHS also seemed lacking; utilities whowished to be involved were required to contact DHS. Others felt that the details offered by DHSwere rather sparse, which instilled some concerns about hidden agendas and doubts about theexercise's purpose. The exercise would have been better received by Texas utilities had DHSincluded some ERCOT-region utilities in the planning of the exercise.PUC's participation in the exercise was coordinated through DIR and Texas Division ofEmergency Management (TDEM)." Staff was briefed on the exercise a couple months inadvance and expressed an interest in participating. When the simulation commenced, Staff in75 http://www.inl.gov/scada/ .76 edia-fact-sheet.pdf ." http://www.txdps.state.tx.us/dem/ .Electric Grid Cybersecurity in TexasPublic Utility Commission of Texas

the Infrastructure and Reliability Division (IRD) expected to receive a flood of email messages,but in the end received only a few. In addition, these messages reflected a scenario that wasIT-centric, versus a scenario which concerned facility operations or emergency response. IRDStaff felt that its specific needs for the exercise would have been better served if it had receivedthe kinds of simulated messages that a utility operations' staff would have received or onesthat were intended for the PUC's Emergency Management Response Team.Since the first Cyber Storm was held, participants have fostered better relationships andimplemented additional tools that have enabled planners to create more specific objectives. Asthe countries involved become more technologically adept, their respective nationalcapabilities have sharpened, requiring those who administer the exercises to develop morechallenging tests. DHS planners worked on plans for Cyber Storm IV, which was built upon thebenefits gained from the last round to fulfill DHS' obligation to continually enhance itscapabilities in facilitating these exercises. The PUC has not been briefed about Cyber StormIV,78 but has learned that DHS intends for participants to:Examine organizations' capability to prepare for, protect from, and respond to cyberattacks' potential effects;4, Exercise strategic decision making and interagency coordination of incident response(s) inaccordance with national level policy and procedures;Validateinformation sharing relationships and communications paths for collecting andJ#disseminating cyber incident situational awareness, response and recovery information; andit Examine means and processes through which to share sensitive information acrossboundaries and sectors without compromising proprietary or national security interests.J#DHS works with other federal agencies and an example of this is the GridEx Exercise hosted byNERC. GridEx was inspired by Cyber Storm and incorporated many of the lessons learned fromthe previous Cyber Storm engagements.Industrial Control System Computer Emergency Readiness Team (ICS-CERT)Another part of US-CERT is the Industrial Control System Computer Emergency Readiness Team(ICS-CERT),79 and part of its duty in helping defend critical infrastructure is to issue notifications.These ICS-CERT notifications describe recently discovered ICS cybersecurity vulnerabilities andprovide actionable guidance for those who possess affected systems.78 e .79 www.us-cert.gov/control systems/ .Electric Grid Cybersecurity in TexasPublic Utility Commission of Texas

Homeland Security Information Network (HSIN)A tool that was devised by DHS to help enable the information-sharing collaborative is theHomeland Security Information Network (HSIN).80 HSIN is a secure web portal containing awealth of security information resources. Most relevant within HISN is the Critical Sectors(HSIN-CS) section, which is focused on the challenges of protecting infrastructure. US-CERT andICS-CERT notifications are also posted on the site.Industrial Control Systems Joint Working Group (ICSJWG)In its efforts to facilitate information-sharing and reduce the risk to the nation's industrialcontrol systems, DHS established the Industrial Control Systems Joint Working Group(ICSJWG)81 as part of the CSSP, which operates under the Critical Infrastructure PartnershipAdvisory Council (CIPAC)82 requirements. The ICSJWG supplies a vehicle for communicating andpartnering across all CI/KR sectors between federal agencies and private asset owner andoperators of industrial control systems. ICSJWG's goal is to enhance the collaborative efforts ofthe industrial control systems stakehol

and who does not. In energy operations, though, many facilities and the systems they contain tend to be remotely located and unmanned, making them subject to incursion, vandalism, and theft. Table 3 illustrates the differences between the operational and maintenance requir