general session: cybersecurity and supply chain: who, what ...€¦ · •prepare incident response...

General Session: Cybersecurity and Supply Chain: Who, What, Where,

Huawei?

Recognizing that entities supplying software and hardware to the electric grid may pose profound security challenges, newly-minted NERC Standard CIP-013-1 requires Responsible Entities to develop documented supply chain cyber security risk management plans. NERC's related Implementation Guidance supports third party accreditation as a recommended element of a compliance plan, and work in now being undertaken in a number of silos on some such programs. While this work is underway, responsible entities are largely left to their own devices in managing these risks. How they are doing so, and how we can effectively counsel our clients in controlling security and regulatory risk is the focus of this panel discussion.

Moderator: Paul Tiao, Partner, Hunton Andrews Kurth

Speakers: Tobias R. Whitney, Technical Executive, Power Delivery and Utilization – Cyber Security, Electric Power Research Institute Laura Schepis, Senior Director, Security Policy, Edison Electric Institute Ted J. Murphy, Partner, Hunton Andrews Kurth Andrew G. Geyer, Partner, Hunton Andrews Kurth

2019 Energy Bar Association Mid-Year ForumOctober 15-16, 2019

Cybersecurity and Supply Chain: Who, What, Where, and Huawei?

Paul M. TiaoPartnerHunton Andrews Kurth

Andrew G. GeyerPartnerHunton Andrews Kurth

Tobias Whitney Technical ExecutiveEPRI

Laura SchepisSenior DirectorEdison Electric Inst.

Ted Murphy PartnerHunton Andrews Kurth

Roadmap

• Cyber Threat Landscape in the Utility Sector• Cybersecurity Legal Framework• Cybersecurity Preparedness Measures• Cybersecurity Incident Response• Recent FERC Developments on Supply Chain• Supply Chain Contracting Issues and Suggestions

2© 2019 Hunton Andrews Kurth LLP

2018 • DHS/FBI report on Russian cyber attacks on energy and other companies• Cyber attack on Energy Transfer Partners electronic data interchange

2017

• Cyber attacks on Wolf Creek Nuclear and other energy companies

• Compromise of Schneider Electric safety system

2016• Crash Override attack on Ukraine power grid • Ransomware attack on midwest utility company

2015 Cyber attack on Ukraine power grid

2014 Black Energy, Havex and Sandworm malware attacks on energy ICS

2013• Iranian cyber attacks on NY dam and ONG control systems• PRC cyber espionage targets 23 natural gas pipeline companies

2012 Destructive malware attacks on Saudi Aramco and Qatar RasGas3

Cyber Threats to the Energy Sector

Unauthorized Access

Theft of Data

Destruction of Data

Misappropriation or Misuse

Unauthorized Disclosure, Disposal, Transmission

Unauthorized Encryption of Data for Ransom

Denial of Service

Integrity Loss (Unauthorized Changes)

Privilege/Access Escalation

Service Delivery

Infrastructure

Sensitive Company

Information

Customer Service

Personal Information

What’s at risk?

Nation States

Organized Crime

Insiders

Hacktivists

Cyber AttacksThreat Actors

Impersonation

4

Cyber Threats

Terrorists

© Hunton Andrews Kurth LLP

US Cybersecurity Regulatory Landscape

Federal Law

PHMSA & MTSA

CFATS

NERC CIP

HIPAA/HITECH

FTC & GLB Acts

SEC Reporting

ECPA/CFAA

SOX

CISA

State Requirements

MA, NV, CA and progeny

Breach notification laws

Mini-FTC Acts

Disposal Laws

Surveillance Laws

Industry Standards

PCI DSS

ISO

NIST

COBIT

ISA/IEC

5

NYDFS Regulations


• Establish the appropriate governance structure• Ensure written information security policies are state-of-the-art• Identify and classify sensitive data• Maintain incident response plan• Prepare Incident Response Team though tabletop exercises• Prepare data breach toolkit• Improve access to cyber threat information• Continually assess status of technical and physical protections• Manage vendor risks • Manage employee risks• Train employees and increase awareness• Assess cyber insurance, SAFETY Act

6

Cybersecurity Preparedness Measures


7

Cyber Incident Response Timeline


Supply Chain Security

Recent FERC Developments

9

FERC Order No. 829

• FERC issued Order No. 829 on July 21, 2016.

• Order No. 829 directed NERC to develop mandatory requirements for the protection of aspects of the supply chain that are within the control of responsible entities (i.e., NERC-registered owners, operators, and users of the bulk power system)

• Consistent with the earlier NOPR, FERC directed NERC to develop a “forward-looking, objective-driven new or modified Reliability Standard to require each [responsible entity] to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations”

• FERC stated that many concerns expressed by comments on the NOPR are addressed in the flexibility inherent in its directive

© 2019 Hunton Andrews Kurth LLP

10

• The Reliability Standard was required to address the following security objectives in the context of addressing supply chain management risks:1. Software integrity and authenticity2. Vendor remote access3. Information system planning4. Vendor risk management and procurement controls

• The Reliability Standard was to require responsible entities to develop a plan to meet the four security objectives, while allowing flexibility as to how to meet the objectives

• The Reliability Standard was to require the responsible entity’s CIP Senior Manager to review and approve the controls adopted to meet the security objectives at least every 15 months

• NERC was required to submit the Reliability Standard to FERC by Sept. 27, 2017

FERC Order No. 829


11

First Objective: Security Integrity and Authenticity

The Reliability Standard must address verification of:

1. The identify of the software publisher for all software and patches that are intended for use on BES Cyber Systems

2. The integrity of the software and patches before they are installed on the BES Cyber System environment

FERC Order No. 829


12

Second Objective: Vendor Remote Access to BES Cyber Systems

• The Reliability Standard must address responsible entities’ logging and controlling all third-party (i.e., vendor) initiated remote access sessions

• This objective covers both user-initiated and machine-to-machine vendor remote access

FERC Order No. 829


13

Third Objective: Information System Planning and Procurement

• The Reliability Standard must address how a responsible entity will include security considerations as part of its information system planning and system development life cycle process

• The Reliability Standard must address a responsible entity’s CIP Senior Manager’s identification and documentation of the risks of proposed information system planning and system development actions

FERC Order No. 829


14

Fourth Objective: Vendor Risk Management & Procurement Controls

• The Reliability Standard must address the provision and verification of relevant security concepts in future contracts for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations

• The Reliability Standard must address controls for the following topics:1. Vendor security event notification processes2. Vendor personnel termination notification for employees with access to

remote and onsite systems3. Product/service vulnerability disclosures, such as accounts that are able to

bypass authentication or the presence of hardcoded passwords4. Coordinated incident response activities

FERC Order No. 829


15

• NERC initially proposed to issue one new Reliability Standard (CIP-013-1), but ultimately proposed the issuance of two further new Reliability Standards (CIP-005-6 and CIP-010-3) to comply with the Order 829 directives

• Key Milestones in the development of the new Reliability Standards:– Final NERC ballot Concluded July 20, 2017– NERC Board vote Aug. 10, 2017– Filed with FERC Sept. 26, 2017

NERC CIP-005-6, -010-3, & -013-1: Background


• The Reliability Standards will apply to the following types of entities:– Balancing Authority– Distribution Provider– Generator Operator– Generator Owner– Interchange Coordinator or Interchange Authority (CIP-005-6 and CIP-

010-3 only)– Reliability Coordinator– Transmission Operator– Transmission Owner

• Facilities covered by the Reliability Standards:– All Bulk Electric System (BES) Facilities– Distribution Provider’s applicable facilities

16

NERC CIP-005-6, -010-3, & -013-1: ResponsibleEntities


17

NERC CIP-005-6, -010-3, & -013-1: Framework

• Overview of new Reliability Standards:– CIP-013-1 requires Responsible Entities to implement processes to:

• Identify and assess cyber security risks to the BES from vendor products and services in their planning activities for high and medium impact BES Cyber Systems

• Include specified security concepts in their procurement activities for high and medium impact BES Cyber Systems

– CIP-005-6 bolsters protections in the existing CIP-005 by addressing specific risks related to vendor remote access

– CIP-010-3 augments existing CIP-010 protections in relation to risks associated with software integrity and authenticity


• Final draft of CIP-013-1 submitted to FERC proposes three requirements:

R1 Develop a supply chain cybersecurity plan addressing the security objectives of Order 829:

1. Software integrity and authenticity;2. Vendor remote access;3. Information system planning; and 4. Vendor risk management and procurement controls

R2 Implement the plan– Does not require renegotiation of existing contracts

R3 Reassess security controls at least once every 15 months – Review must include consideration of new risks and changes

18

NERC CIP-013-1: Summary of Requirements


19


• Final draft of CIP-005-6 submitted to FERC proposes two requirements:

R1 Implement documented process that ensures applicable systems meet the following requirements related to the ESP:

1. All applicable Cyber Assets with routable protocol network connections are within a defined ESP;

2. All external routable connectivity must be through an identified Electronic Access Points (EAP);

3. Require inbound and outbound access permissions for EAPs; 4. Authentication for dial-up connection with applicable Cyber Assets;5. Capability to detect known or suspected malicious communications

for inbound and outbound traffic


20


• Final draft of CIP-005-6 submitted to FERC proposes two requirements (continued):

R2 Remote Access Management—Implement documented process that ensures applicable systems meet the following requirements:

1. Interactive remote access must use:– an intermediate system so that Cyber Assets are not accessed directly;– Encryption terminating at an intermediate system; and – Multifactor authentication

2. Capability of determining active vendor remote access sessions, and of terminating such access sessions


21


• Final draft of CIP-010-3 submitted to FERC proposes four requirements:

R1 Implement documented process that includes the following:1. Develop baseline configuration for operating systems, open-source

applications, installed custom software, logical network access points, and security patches;

2. Authorize and document changes that deviate from the baseline;3. For deviations, update the baseline as necessary within 30 days of

completing the change;4. Determine required cyber security controls prior to the change,

verify that those controls are not adversely affected following the change, and document the results of the verification;

5. If technically feasible, test changes in a test environment prior to implementing the change, documenting the results; and

6. Prior to implementing the change, verify the identity of the software source and the integrity of the software when available


22


• Final draft of CIP-010-3 submitted to FERC proposes four requirements (continued):

R2 Implement documented process that monitors at least once every 35 days for changes to the baseline configurationR3 Implement documented process that includes the following:

1. Conduct a paper or active vulnerability assessment at least once every 15 days;

2. Perform active vulnerability assessment at least once every 36 months and document the result;

3. Prior to adding a new applicable Cyber Asset to the production environment, perform an active vulnerability assessment of the asset; and

4. Document the results of each of the above and the plan to remediate or mitigate identified vulnerabilities


23


• Final draft of CIP-010-3 submitted to FERC proposes four requirements (continued):

R4 Implement documented plans for Transient Cyber Assets and Removable Media that include requirements specified in an attachment to the Reliability Standard, which address the management, authorization, and mitigation of risks associated with Transient Cyber Assets managed by the Responsible Entity or by other parties


24

NERC Technical Guidance

• NERC Technical Reference on the Final Draft CIP-013-1 sets forth examples of controls that may satisfy the Reliability Standard requirements

• Examples of controls for Software Integrity and Authenticity:– Ensuring patches are from the original source before installation– Implementing server-side encryption keys that may be validated

and regularly tested – Using third party certificates to validate the identity of the vendor– Requiring use of digital fingerprints and checksums


25

• Examples of controls for Vendor Remote Access:– Using an operator-controlled, time limited (e.g. lock out, tag out)

process for third-party remote access– Setting up alert and monitoring parameters on key attributes and

thresholds such as number of failed log-in attempts – Logging and review procedures – Using jump hosts for access to protected networks– Changing default passwords– Monitoring and acting on advisories– Contract terms to support controls



26

• Examples of controls for Information System Planning:– Screening criteria to determine high-risk systems or changes– Processes to assess third-party risks in planning, including

• Gathering and review of information on vendor security processes

• Engaging vendors in testing of potential vulnerabilities• Use of available tools for establishing vendor risk baseline

– New system design processes to incorporate layered protections, security policy, architecture, and controls

– Processes for coordination and approval involving appropriate IT security, supply chain, and legal personnel



27


• Examples of controls for Procurement Risk Management:– Incorporate risk-assessment information in RFPs– Establish procurement review teams that include CIP personnel– Develop contract terms addressing the four security objectives– Require notification of security events that may impact the

Responsible Entity– Require notification of transfer, reassignment, or termination of

employees with remote or onsite access to BES Cyber Systems


28

Order No. 850

• FERC issued Order No. 850 on October 18, 2018

– Approved CIP-013-1 and CIP-005-6 and CIP-010-3

• Approved proposed violation risk factors and severity levels

• Approved proposed effective date: July 1, 2020

– Directed NERC to address Electronic Access Control and Monitoring Systems (“EACMS”) associated with medium and high impact BES Cyber Systems and submit revised standards within 24 months

– Accept NERC proposal to study Physical Access Control Systems (“PACS”)s and Protected Cyber Assets (“PCAs”)


29

Recent Developments – May 2019

• May 17 NERC Staff Report

– Approved by NERC BOD– Filed at FERC May 28

• Recommendations:

– Revise standards to address EACMS that provide electronic access control (excluding monitoring and logging) to high and med-impact BES Cyber Systems

– Revise standards to address PACS that provide physical access control (excluding alarming and logging to high and medium impact BES Cyber Systems

– Conduct a study to determine whether the standards should include low impact BES Cyber Systems with External Routable Connectivity

– Develop guidelines to assist entities evaluating their PCAs to determine whether additional supply chain protections are needed.


30

Most Recent Developments – Summer 2019

• June – Standard Authorization Request

– NERC initiated the standards development process for EACMs (as directed by FERC) and PCAs (as recommended by NERC staff)

– Goal is to meet Order No. 850’s 24 month deadline

• August 19 – Data Request

– NERC’s BOD approved a data request re: the “nature and number” of low impact BES cyber systems, specifically those with inbound or outbound electronic access. Focus on counting locations.

– Responses due in 45 days


Supply Chain Security Key Contractual Considerations

32

• Security Obligations– Security requirements, standards and policies

• Compliance with law • Compliance with applicable industry standards• Compliance with Customer’s security requirements• Compliance with vendor’s information security program

– Notification of security events– Remediation of security events

• Audit Rights and Reporting– Inspection rights– Third party audits and certifications

• SOC reports• ISO certifications

Key Contractual Considerations


33

Key Contractual Considerations

• Risk Allocation– Indemnification

• Indemnified parties• Scope of obligation

– Liability Limitations• Direct and Consequential Damages • Exceptions

• Termination Rights– Material breach vs. specific right

• Insurance – Type of insurance?– Who provides insurance?


34

Contractual Approaches

• What Approach Do I Take?– Update existing form agreements?– Checklists for responding to vendor paper?– Security Addendum?– All of the above?

• Approach will differ depending on type of Vendor– e.g., Cloud Providers vs. Outsourcing Providers


35

How Industry & Government Work Together to Protect Critical Infrastructure

August 2019TLP:GREEN

3636

PurposeThe ESCC is the principal liaison between the electric sector and the federal government for coordinating efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure.

TLP:GREEN

37

16 Critical Infrastructure Sectorsand Sector-Specific Agencies (SSAs)

TLP:GREEN

38

Industry-Government Coordination

TLP:GREEN

39

Energy Sector GovernmentCoordination Structure

TLP:GREEN

40

ESCC Organizational Structure

TLP:GREEN

41

Duane Highley Tri-State Generation and

Transmission Association, Inc.

ESCC Leadership

Kevin WailesLincoln Electric System

Tom Fanning Southern Company

ESCC Leadership

TLP:GREEN

42

Contact Information

Laura SchepisEdison Electric [email protected]

For more information: electricitysubsector.org

TLP:GREEN

http://www.electricitysubsector.org/

© 2019 Electric Power Research Institute, Inc. All rights reserved.w w w . e p r i . c om

EPRI Strategic Initiative: Supply Chain WorkstreamBridging cyber security supply chain vulnerability gaps between utility needs and product capabilities

Cyber Security Strategic InitiativeBy Tobias Whitney

http://www.epri.com/

https://www.linkedin.com/company/epri

https://www.linkedin.com/company/epri

https://www.facebook.com/EPRI/

https://www.facebook.com/EPRI/

https://twitter.com/EPRINews

https://twitter.com/EPRINews


44

Transition-to-Practice by “Identifying, Translating & Applying” (ITA) OT Security Solutions

Cyber Security Strategic Initiative – Priorities (based on executive guidance)

Requesting $1.9M for 2019, as part of a $5.6M total investment (2019–2021), to build technical capabilities, industry engagement, and a self-sustaining business model that engages utilities, government stakeholders, universities, and, potentially, other critical infrastructure to harden existing infrastructure while enabling future integrated grid technologies.

Scope

Innovative approach to mitigate supply chain risk by implementing vendor standardization and certification model

Grid to Edge (G2E) Security Framework Development & Application in Utility Projects (Substations, DER, Solar, Storage, EV,..)

Security Metrics that result in Improved Decisions – with Tools & Guidance to Simplify Implementation

Supply Chain(Building in Supplier Risk Mitigation)

Grid to Edge Architecture(Architecting Technology Strategy)

Security Metrics(Operationally - Driving Decisions)

Integrated Security Operations Center (ISOC)

Forensics for ICSs

IDS/IPS for OT Security

Security Metrics Framework

Build on EPRI’s Past Success in Security

Technology Assessment Methodology (TAM)



45

Coordination Team

Stan Partlow, VP & Chief Security Officer, AEP Phil Clark, Director Critical Infrastructure, AECC Manny Cancel, VP IT and CIO, Con Ed Ben Waldrep, SVP and Chief Security Officer, Duke Energy David Batz, Senior Director, Cyber & Infrastructure Security, EEI Jason Fortik, VP Power Supply, Lincoln Electric Randy Crissman VP Compliance, NYPA Kenneth (KC) Carnes, VP Critical Secure Services & CISO, NYPA Tom O’Brien, SVP & CIO, PJM Mike Mertz, VP & CIO, PNM Todd Inlander, SVP & CIO, SCE Curley Henry, Director, Cyber Security Strategy, Southern Co Dawn Roth Lindell, SVP & Rocky Mountain Regional Manager, WAPA The EPRI Team: Arshad Mansoor, SVP R&D

Matt Wakefield, Director Information, Communication and Cyber SecurityGalen Rasche, Senior Program Manager, Cyber SecurityTobias Whitney, Technical Executive, Cyber Security

The Leaders of this Initiative



46

Background

Challenges Numerous guidelines and approaches

exist to address supply chain vulnerabilities

Vendor community is witnessing a splintered set of requirements from numerous entities

No consistent process or forms exist to document vendor product security capabilities or controls

Real World Issues

“Section 889 prohibits U.S. executive agencies from using telecommunications and physical security surveillance equipment produced by certain Chinese-based companies, including Huawei, ZTE Corp, Hytera Communications Corp, Hangzhou Hikvision Digital Technology Co., and Dahua Technology Co.”

“The Worldwide Threat Assessment of the US Intelligence Community states, “China has the ability to launch cyber-attacks that cause localized, temporary disruptive effects on critical infrastructure—such as disruption of a natural gas pipeline for days to weeks—in the United States.” Although a majority of observed activity has been primarily for espionage and intellectual property theft, the U.S. intelligence community has stated that China does seek to exploit grid vulnerabilities to serve strategic objectives in wartime.” – Supply Chain Risk II – NERC Alert



47

Which one is real, and which one is counterfeit?

$399$2,300



48

Supply Chain Risk Assessment – EPRI Report to NERChttps://www.nerc.com/pa/comp/SupplyChainRiskMitigationProgramDL/EPRI_Supply_Chain_Risk_Assessment_Final_Report_public.pdf

Recommendations - Applying Industry Practices and Guides*1. Off-premise Supplier Premises (i.e. Cloud)2. Third-Party Accreditation Processes3. Secure Hardware Delivery4. Provenance (traceability)5. Threat Modeling6. Assessing Supply Chain Deficiencies7. Recognizing External Dependencies8. Policy for Handling Supplied Products or Services that

DO NOT adhere to Procurement Processes9. Unsupported or Open-Sourced Technology Components10. Concluding Supplier Relationships

(*) Active Guideline development via the Critical Infrastructure Protection Committee (CIPC)


https://www.nerc.com/pa/comp/SupplyChainRiskMitigationProgramDL/EPRI_Supply_Chain_Risk_Assessment_Final_Report_public.pdf


49

Supply Chain Workstream

Objective(s) Create solutions that support the CIP Standards and Supply Chain Compliance Leverage solutions that can address enterprise supply chain challenges Create a solution that can help standardize vendor documentation of product security

capabilities

2019 Deliverables/Activities Develop certification requirements for electric system products Define processes for vendors to self-certify to certification requirements Develop Implementation Guide to support certification process and voluntary standard Develop and maintain a vendor product controls library for industry



50

Key Steps

Scoping

•NERC CIP Systems•Enterprise Systems•Controls Mapping and Standardization

Approach

• Industry Outreach•Vendor Coordination•Online Controls Database (Supplier

Security Hub)

Adoption

•NERC Implementation Guide•ERO Endorsement• Supplier Information Applied



51

Supplier Database will address the following priorities:

Supplier Database Concept Explained

Vendor Security Practices

CIP Compliance Capabilities

Product Security Features

Secured, Limited Access

Database

Streamlined Approach to Vendor Product and Capability Research

Supplier Database

Registered Entity Research of Vendor Product Security features and Supply Chain Controls

Voluntary Self-Certified Product Security Features and 3rd Party Validated Internal Controls



52

Together…Shaping the Future of Electricity


Questions?

general session: cybersecurity and supply chain: who, what ...€¦ · •prepare incident response...

Documents