MEETING AGENDA Security Advisory Council Meeting May 9, 2017 9:00 a.m. 3:00 p.m. VIA WebEx 380 St. Peter Street #800 Saint Paul, MN 55102 P. 651.855.1760 F. 651.855.1712 W. MidwestReliability.org CLARITY ASSURANCE RESULTS CLARITY ASSURANCE RESULTS
VIDEO AND AUDIO RECORDING - MRO Security Advisory Council Meeting Agenda VIDEO AND AUDIO RECORDING Please note that Midwest Reliability Organization (MRO) may make a video and/or an audio recording of this MRO Security Advisory Council (SAC) meeting for the purposes of making this information available to board members, members, stakeholders and the general public who are unable to attend the meeting in person. By attending this meeting, I grant MRO: 1. Permission to video and/or audio record the MRO SAC meeting including me; and 2. The right to edit, use, and publish the video and/or audio recording. 3. I understand that neither I nor my employer has any right to be compensated in connection with the video and/or audio recording or the granting of this consent. CLARITY ASSURANCE RESULTS
MEETING AGENDA MRO Security Advisory Council Meeting MEETING AGENDA MRO Security Advisory Council Meeting Tuesday, May 9, 2017 9:00 a.m. to 3:00 p.m. Central WebEx Teleconference AGENDA ITEM ACTION TIME 1 Call to Order and Introductions Mike Kraft, MRO Security Advisory Council (SAC) Chair Information 9:00 a.m. a. Determination of Quorum and Introductions b. Standards of Conduct and Anti-Trust Guidelines c. Additions to the Agenda 2 Consent Agenda Mike Kraft, MRO SAC Chair a. Review and approve Minutes from January 19, 2017, MRO Security Advisory Council Meeting closed session b. Review and approve Minutes from February 2, 2017, MRO Security Advisory Council Meeting 3 MRO Staff Report Steen Fjalstad, MRO Security and Mitigation Principal a. Staff Transitions b. Communication from other MRO Organizational Groups 4 Chair s Report Mike Kraft, MRO SAC Chair a. Mailing lists b. Web Sites (MRO SAC Collaboration Portal and MRO SAC Page) c. Conducting business between meetings (e.g. MRO Sponsored Training) (Action) d. MRO SAC Member terms 5 Work Plan Review and Update MRO SAC Members Discussion and Action Information Discussion and Action Discussion and Action 9:20 a.m. 9:25 a.m. 9:35 a.m. 9:45 a.m. *** BREAK *** 10:30 a.m. 6 MRO Representatives on the NERC Critical Infrastructure Protection Committee (CIPC) a. NERC CIPC Report Marc Child, MRO Representative and Chair of the NERC CIPC b. MRO Representation on the NERC CIPC (Action) Mike Kraft, MRO SAC Chair and Alternate MRO Representative on the NERC CIPC c. Term Limits for members of NERC Committees Mike Kraft, MRO SAC Chair and Alternate MRO Representative on the NERC CIPC Information, Discussion and Action 10:35 a.m. CLARITY ASSURANCE RESULTS
MEETING AGENDA MRO Security Advisory Council Meeting d. Alternate NERC CIPC Representative with Operations expertise (Action) Mike Kraft, MRO SAC Chair and Alternate MRO Representative on the NERC CIPC 7 MRO Security Conference Update a. SAC Sponsored Training John Hochevar, MRO SAC Member b. Pre-Conference and Conference Agenda Steen Fjalstad, MRO Security and Mitigation Principal Information 11:35 a.m. *** LUNCH *** 12:00 p.m. 8 Cybersecurity Update a. MRO Region Security Risk Assessment MRO SAC Members 9 Physical Security Update Warren LaPlante, MRO SAC Member 10 EMS/SCADA/Control Center Security Update a. Takeaways from April 2017 ICSJWG Meeting Jodi Jensen, MRO SAC Member Discussion Information Information 12:30 p.m. 12:35 p.m. 1:00 p.m. *** BREAK *** 1:30 p.m. 11 Partner Updates a. E-ISAC b. Mid-Continent Compliance Forum (MCCF) - CIP Working Group c. Government Partners - FBI, DHS, ICS-CERT, Public Safety Canada, RCMP d. State Fusion Centers e. State PUCs f. Trade Organizations g. Industry Information 1:35 p.m. 12 SHAred RESources (SHARES) High Frequency (HF) Radio Program Information 2:30 p.m. Ross Merlin, DHS NCC SHARES Program Manager 13 Other Business Information 2:55 p.m. 14 Adjourn 3:00 p.m. CLARITY ASSURANCE RESULTS
AGENDA 1 - Call to Order AGENDA 1 Call to Order a. Determination of Quorum and Introductions Mike Kraft, MRO Security Advisory Council (SAC) Chair 2017 MRO Security Advisory Council Roster Name Sector Term End Mike Kraft, Chair Basin Electric Power Cooperative December 2019 Tim Anderson, Vice Chair Dairyland Power Cooperative December 2017 Stephen Brown Xcel Energy December 2017 Mark Gabel MISO December 2017 John Hochevar American Transmission Company December 2019 Jodi Jensen Western Area Power Administration December 2018 Brian Kollmansberger Alliant Energy December 2018 Warren LaPlante Minnesota Power (ALLETE, Inc.) December 2018 Tyler Stinson Xcel Energy December 2019 CLARITY ASSURANCE RESULTS
AGENDA 1 - Call to Order AGENDA 1 Call to Order b. Standards of Conduct and Anti-Trust Guidelines Mike Kraft, MRO SAC Chair Standards of Conduct Reminder: Standards of Conduct prohibit MRO staff, committee, subcommittee, and task force members from sharing non-public transmission sensitive information with anyone who is either an affiliate merchant or could be a conduit of information to an affiliate merchant. Anti-trust Reminder: Participants in Midwest Reliability Organization meeting activities must refrain from the following when acting in their capacity as participants in Midwest Reliability Organization activities (i.e. meetings, conference calls, and informal discussions): Discussions involving pricing information; and Discussions of a participants marketing strategies; and Discussions regarding how customers and geographical areas are to be divided among competitors; and Discussions concerning the exclusion of competitors from markets; and Discussions concerning boycotting or group refusals to deal with competitors, vendors, or suppliers. CLARITY ASSURANCE RESULTS
AGENDA 1 - Call to Order AGENDA 1 Call to Order c. Additions to the Agenda Mike Kraft, MRO SAC Chair Mike Kraft will ask meeting attendees for any additional items to the agenda. CLARITY ASSURANCE RESULTS
AGENDA 2 - Consent Agenda AGENDA 2 Consent Agenda a. Review and Approve Minutes from January 19, 2017 MRO Security Advisory Council WebEx Meeting - Closed Session b. Review and Approve Minutes from February 2, 2017 MRO Security Advisory Council Meeting Mike Kraft, MRO SAC Chair CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Council Closed Session Meeting January 19, 2017 MIDWEST RELIABILITY ORGANIZATION Draft Minutes of the MRO Security Advisory Council Closed Session Meeting WebEx Conference Call January 19, 2017, 9:00 a.m.-10:00 a.m. Central 1. Call to Order and Introductions a. Determination of Quorum. The meeting was called to order at 9:03 a.m., and Jennifer Matz, MRO Risk Assessment and Mitigation Administrator, determined that a quorum was present and introductions were made. A complete list of attendees is included as Exhibit A. b. Standards of Conduct and Anti-Trust Guidelines. Pursuant to Policy and Procedure 4, MRO s Standards of Conduct, Conflict of Interest and Anti-Trust Guidelines were presented by Steen Fjalstad, MRO Security and Mitigation Principal. 2. Proposed MRO SAC Work Plan a. MRO SAC Meeting Dates and Initiatives for 2017. Interim MRO Security Advisory Council (MRO SAC) Chair Mike Kraft proposed a spreadsheet format to manage the MRO SAC s work plan, which contains the council s initiatives, meeting dates, outreach, and action items. Since the document received positive feedback from the council, Interim Chair Kraft requested council members send any additions to the work plan to him by January 24; he ll send a revised work plan to the council and MRO staff prior to the February 2 meeting, if necessary. Jennifer Matz will maintain the document going forward. Interim Chair Kraft discussed the need for the council to have a central location to house all of the MRO SAC s non-public documents. Action Item: MRO staff will consult with MRO s General Counsel to determine where the MRO SAC can house its non-public documents. The MRO SAC confirmed its meeting dates for 2017. Q1 February 2, 2017 (In-person) Q2 May 9, 2017 (WebEx) Q3 August 1, 2017 (WebEx) Q4 September 29, 2017 (In-person) Strategy Session December 6, 2017 (WebEx) 3. Agenda for February 2, 2017 Meeting Interim MRO SAC Chair Mike Kraft discussed the purpose for the progression of agenda topics for the MRO SAC in-person meeting on February 2, 2017. He informed the council 1 P age
Draft Minutes of the MRO Security Council Closed Session Meeting January 19, 2017 that he contacted and invited a number of industry partners to the meeting to begin developing partnerships (e.g., E-ISAC). Interim Chair Kraft also asked for council members to volunteer to provide reports on security topics. The following MRO SAC members volunteered to present. MRO SAC Member Tim Anderson will report on the S4 Conference MRO SAC Member John Hochevar will report on the Grizzly Steppe JAR and IOCs Discussion MRO SAC Member Tyler Stinson will report on the Ukraine December 2016 Incident 4. MRO 2017 Security Conference Update Steen Fjalstad informed the council that the format of last year s conference received positive feedback. The format focuses on five key areas. The key areas are an executive talk, physical, cyber, insider threat management/cyber hunting, and government intelligence. Fjalstad asked the council to think about these focus areas and inform him of any ideas or suggestions for topics and speakers. 5. Other Business Interim Chair Mike Kraft asked the council if there were any other topics or concerns to discuss. No topics or concerns were provided by the council. 6. Adjourn Having no further business to discuss, the meeting was adjourned at 10:00 a.m. 2 P age
Draft Minutes of the MRO Security Council Closed Session Meeting January 19, 2017 Exhibit A Meeting Attendees Council Members Present on Web Meeting Mike Kraft, Interim Chair Basin Electric Power Cooperative Tim Anderson, Interim Vice Chair Dairyland Power Cooperative Stephen Brown Xcel Energy Mark Gabel MISO John Hochevar American Transmission Company Jodi Jensen Western Area Power Administration Brian Kollmansberger Alliant Energy Warren LaPlante Minnesota Power Tyler Stinson Xcel Energy Council Members Not Present MRO Staff Steen Fjalstad Richard Burt Jennifer Matz Security and Mitigation Principal Vice President of Risk Assessment, Mitigation, and Standards Risk Assessment and Mitigation Administrator 3 P age
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 1 Page MIDWEST RELIABILITY ORGANIZATION Draft Minutes of the MRO Security Advisory Council Meeting MRO Offices, St. Paul, MN February 2, 2017 1. Call to Order and Introductions Interim MRO Security Advisory Council (SAC) Chair Mike Kraft called the meeting to order at 8:35 a.m. and introductions were made. He extended a warm welcome to meeting attendees. a. Determination of Quorum. The meeting secretary Jennifer Matz, MRO Risk Assessment and Mitigation Administrator, determined that a quorum was present. A complete list of attendees is included as Exhibit A. b. Standards of Conduct, and Anti-Trust Guidelines. Pursuant to Policy and Procedure 4, MRO s Standards of Conduct, Conflict of Interest and Anti-Trust Guidelines were presented to attendees by Richard Burt, MRO Vice President of Risk Assessment, Mitigation and Standards. c. Additions to the Agenda. No additions to the agenda were proposed by council members. Upon a motion duly made and seconded, the MRO Security Advisory Council unanimously approved the agenda as written. 2. Discussion on MRO SAC Chair and Vice Chair Appointments Interim Chair Kraft asked council members to discuss the appointments for chair and vice chair in order for the council to provide a recommendation to the GPC which will then recommend the appointments to the MRO Board. Council members feedback on the current appointments were positive, and no other council members were nominated for the chair or vice chair positions. A motion was made to approve Mike Kraft as chair and Tim Anderson as vice chair of the MRO SAC. Upon a motion duly made and seconded, the MRO SAC unanimously approved Mike Kraft as chair and Tim Anderson as vice chair of the MRO SAC. Action: MRO Staff will recommend to the GPC that Mike Kraft be approved as chair and Tim Anderson as vice chair of the MRO SAC. The GPC will then consider that recommendation for the MRO Board to approve. 3. MRO Staff Report Steen Fjalstad, MRO Security and Mitigation Principal, informed council members that he is the MRO staff liaison assigned to the MRO SAC. He provided an overview of how the MRO SAC was established and that the council will help the region address specific threats to the Electric Sector. CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 2 Page Fjalstad referred council members to the MRO SAC charter, where he clarified a couple of statements in the charter. He highlighted the focus of the SAC is to address security concerns and not compliance concerns. Although compliance concerns may come forth, the focus of the MRO SAC should continue to be on security (e.g., cybersecurity, physical security, SCADA, EMS, etc.). Fjalstad further stated that the MRO SAC is an MRO organizational group that provides advice and counsel to the MRO Board, MRO staff, and registered entities. Fjalstad reviewed a revised MRO Organizational Groups Chart containing the MRO SAC, and highlighted the objectives of the other MRO committees and subgroups. He informed council members to refer to Policy and Procedure 3 (Organizational Groups) to understand the establishment, responsibilities, and procedures of MRO Organizational groups and MRO Representatives on NERC Committees. Richard Burt, Vice President of Risk Assessment, Mitigation and Standards, asked council members to be cognizant of the other MRO committees activities, especially the Operating Committee and Standards Committee. The Operating Committee on occasion may review items like the reliability of SCADA systems from an operational perspective. Burt asked council members to be aware of the MRO Standards Committee (SC) and the difference between guidance on security related items versus guidance pertaining to standards, which falls under the MRO SC. He informed the council that MRO staff can assist with communicating the activities of other committees that may be of interest to the MRO SAC, since staff attends the committee meetings. Interim Chair Mike Kraft briefly reviewed the MRO SAC charter with council members in prep for the next agenda item. The committee recessed for break at 9:18 a.m. and reconvened at 9:40 a.m. 4. Goals and Objectives for 2017 (Part I) a. Goals. Interim Chair Mike Kraft received feedback from council members on the high-level goals listed in the report; no changes were proposed to the goals. He asked MRO staff if the MRO SAC can proceed with projects before the next quarterly meeting if the council s goals and objectives are aligned with the MRO Board approved charter and a work plan that supports the charter objectives. Richard Burt informed the council that the MRO SAC goals and objectives along with the work plan will need to be approved by the MRO Board at the March 16 MRO Board of Directors Meeting. Burt offered to look into what tasks the council can proceed with prior to MRO Board approval once the MRO SAC has established tasks and timelines in the work plan. b. Objectives. Interim Chair Mike Kraft reviewed the objectives under each goal and asked for council feedback about whether the actions are measurable and attainable. The council discussed revisions to the objectives. Regarding the word HERO in objective 3.7, Richard Burt provided a high-level overview of the five principles of Highly Reliable Organizations pertaining to HRO Theory as a background for CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 3 Page MRO s use of the word HERO to represent Highly Effective Reliability Organizations. The council suggested the following revisions to the objectives: Add Objective 1.6: Develop MRO Region security contacts list by August 2017 Revise Objectives 2.1 and 3.1 from 60 to 90 days Revise Objectives 2.2 2.4 and 3.2 3.4 to read Develop or facilitate Revise Objectives 3.5 and 3.6 to read Advisor to rather than Support Revise Objective 3.7 by removing all language except distill and communicate lessons learned from security-related incidents in 2017 A motion was made to approve the MRO SAC goals and objectives as amended during the meeting. Upon a motion duly made and seconded, the MRO SAC unanimously approved the MRO SAC 2017 Goals and Objectives as amended. c. Guiding Principles. Interim Chair Mike Kraft reviewed the proposed guiding principles with council members. He highlighted that the purpose of the principles is for the MRO SAC to refer to these principles when making decisions on work products to ensure the appropriate areas are being covered. Interim Chair Kraft asked council members for feedback about whether or not the council needs guiding principles and if any revisions are needed. The council provided positive feedback about the guiding principles and suggested the following revisions to the document: Change number 3 to Transparent in operation Change number 4 to Don t duplicate, but relate Remove number 10 A motion was made to approve the MRO SAC Guiding Principles as amended during the meeting. Upon a motion duly made and seconded, the MRO SAC unanimously approved the MRO SAC Guiding Principles as amended. 5. Goals and Objectives for 2017 (Part II) a. Proposed 2017 Calendar. Interim Chair Mike Kraft informed the council that the proposed 2017 calendar is provided in the work plan document. b. Work Plan. Interim Chair Kraft referred to the proposed work plan in the agenda packet. He highlighted how the council can use this document to manage all of its action items and responsibilities. Council members provided feedback on the document. CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 4 Page The council questioned the timing of its last meeting in 2017 and whether it will need MRO Board approval for its 2018 Work Plan. Richard Burt recommended the council have the 2018 Work Plan approved by the MRO Board by the end of 2017. MRO Board approval for the work plan all depends on how closely the items in the work plan tie to the charter. Therefore, Burt informed council members that MRO staff will help with those details when the time comes. Based on Burt s response, Interim Chair Kraft informed council members to leave the last council meeting as is until further notice. The committee recessed for lunch at 11:47 a.m. and reconvened at 12:30 p.m. c. Deliverables. Interim Chair Kraft reviewed the proposed action items with attendees. Discussion ensued regarding the type of outreach the council would like to provide in 2017. The council members revised the work plan to incorporate contributing an article for each issue of the Midwest Reliability Matters newsletter, and four webinars regarding the Department of Homeland Security Survey Tool, Threat Intel 101, Ukraine Review and Action, and GridEx IV Overview and Preparation. The council set soft and hard deadlines for each deliverable on the work plan. Interim Chair Kraft confirmed that the work plan deliverables covered cybersecurity, physical security, and control systems. Since the meeting was behind schedule, Interim Chair Kraft moved the following item ahead on the agenda. 6. MRO Representatives on the NERC Critical Infrastructure Protection Committee (CIPC) a. NERC CIPC Report. Marc Child, MRO Representative and Chair of the NERC CIPC, provided highlights from the last NERC CIPC meeting, which included an E-ISAC update, an Emerging Technology roundtable debrief, an approved work plan, and a regional briefing program. Child discussed how the NERC CIPC is changing to improve the participation of its members while attending NERC CIPC meetings. He hopes this will help make the NERC CIPC more productive. The committee recessed for break at 1:55 p.m. and reconvened at 2:00 p.m. Upon conclusion of the NERC CIPC Report, Interim Chair Kraft continued with Work Plan discussions. d. Assignments. Council members and guests volunteered for deliverables listed on the work plan. The assignments for deliverables were documented. Upon a motion duly made and seconded, the MRO SAC unanimously approved the MRO SAC 2017 Work Plan as amended. Since the meeting was behind schedule, Interim Chair Kraft moved the following item ahead on the agenda. CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 5 Page 11. Partner Updates Interim Chair Mike Kraft stated this agenda item is designed to make sure the council is developing partnerships with established entities and having discussions surrounding what is the right amount of information that should be flowing back and forth and with what mechanisms. He also stated the partners were invited today to provide a quick overview of their organization or provide an update. a. E-ISAC. Beth Gannett, E-ISAC Manager of Member Services, provided an update on the recent activities of the E-ISAC, which included E-ISAC programs, the portal improvements completed, and upcoming events. Gannett also reported that sharing and reporting is on the rise; however, the E-ISAC has only received three shares from the MRO Region in the fourth quarter of 2016. She hopes that by providing this update it will encourage entities in the MRO Region to share more. The council expressed interest with getting the word out there and sharing information in the future as it builds its outreach program. b. Mid-Continent Compliance Forum (MCCF) CIP Working Group. Jenifer Holmes, Chair of the MCCF CIP Working Group, informed the council about the working group being a private forum for registered entities in the mid-continent area that focuses on CIP Compliance. The working group meets to share knowledge, lessons learned, and general best practices. The meetings are informal and are interactive. The next meeting is March 2 at the MISO facility in Eagan, MN. c. MISO CIPUG. The council was informed that this group is now retired and is no longer active. d. Government Partners FBI, DHS, ICS-CERT, Public Safety Canada, RCMP. Mike Christianson, new PSA in Minnesota from the Department of Homeland Security (DHS), reported that there are nine PSAs for eight different states in the MRO Region. He explained that PSAs are a resource to all critical infrastructure sectors and assist in anything the entities need regarding Physical Security. James Gulak, Public Safety Canada Saskatchewan Office, introduced himself and stated he is Mike Christianson s counterpart in Canada. He provides the same type of function and services as DHS but in Saskatchewan, which in is the MRO Region. He also covers Manitoba. His role is to be a liaison, help build partnerships with stakeholders, make sure information is being shared efficiently, and to work together collaboratively for risk management. Darin Hanson, Central Region Private Sector Engagement Subcommittee representative for the National Fusion Center Association, thanked the council for allowing him to attend the meeting. He recommended including the fusion centers in GridEx for entities participating. CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 6 Page e. State PUC MN. Kevin O Grady from the Minnesota Public Utilities Commission (MN PUC) informed the council that the MN PUC is tasked with watching reliability for both the energy and telecom sectors. Since the MN PUC is tasked with paying attention to rates, it means it needs to be more cognizant of the challenges entities face and what is occurring in the industry, which is why he is attending the MRO SAC meeting. f. Trade Organizations. No contacts from trade organizations were in attendance. g. Industry. Tom Hofstetter, Senior CIP Compliance Auditor with the North American Electric Reliability Corporation (NERC), introduced himself and highlighted that besides E-ISAC services, NERC can answer compliance questions or concerns from the industry. Upon conclusion of the Partner Updates, Interim Chair Mike Kraft continued with Agenda item 6b. b. MRO Representation on the NERC CIPC. Interim Chair Mike Kraft, on behalf of Tony Rowan, reviewed a draft report on what the expectations are of MRO Representation on the NERC CIPC, which included the purpose for representation, membership, voting expectations, and the roles of the primary and alternates members. He informed the council that the MRO representatives have never had a guide that identifies what is expected of them. Therefore, Interim Chair Kraft proposed the council review this document and have a possible action at a future meeting for recommendation to the MRO Board for approval. No concerns were raised by the council. Action: MRO SAC members review the proposed document and provide feedback to Interim Chair Kraft by the next MRO SAC meeting. c. CIPC Regional Report. Interim Chair Kraft explained that the MRO Region will be giving a report to the NERC CIPC regarding its security activities on March 8, 2017. He referred the council members to the report and asked that members provide feedback. No comments were provided by the council. 7. MRO Security Conference Update Steen Fjalstad, MRO Security and Mitigation Principal, reported that this will be the fourth year of the MRO Security Conference and last year s agenda format received positive feedback. The agenda consisted of an executive talk, physical, cyber, insider threats, and then a government intelligence discussion. Fjalstad also informed the council to expect a meeting invite towards the end of February to discuss this conference in more detail now that it the MRO SAC is involved in the development of the conference. CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 7 Page A council member recommended the MRO SAC consider having a registered entity present at the conference regarding what it did in response to the Ukraine event, to prevent similar events from happening in the MRO region. 8. Cybersecurity Update a. S4 Conference. Interim MRO SAC Vice Chair Tim Anderson informed the council that he attended the Industrial Control Systems Cybersecurity Conference (S4 Conference) a few weeks ago. He highlighted that the conference covered a number of important topics, but some of the key topics of interest for the electric sector were the presentations of the Ukraine December incident, applying some of the safety concepts and processes to analyze cybersecurity, and new research on future solutions (e.g., Secure SCADA Protocol SSP21). Interim Vice Chair Anderson volunteered to send the URL for the SSP21 project to be included in the meeting minutes. Action: Interim Vice Chair Anderson will provide the URL for the SSP21 project presented at the S4 Conference to Jennifer Matz for the meeting minutes. b. Grizzly Steppe JAR and IOCs Discussion. MRO SAC Member John Hochevar provided a breakdown of the Grizzly Steppe Joint Analysis Report (JAR) published by the U.S. Department of Homeland Security and the Federal Bureau of Investigation regarding the hacking of the DNC and some of the election processes. Hochevar discussed what kind of work occurred, what did and did not work, and how to relate this example to the MRO Region. 9. Physical Security Update a. Security Management in the North American Electricity Sub-Sector Guideline. Interim MRO SAC Chair Mike Kraft, informed the council about the Security Management in the North American Electricity Sub-Sector Guideline posted on NERC s website. He highlighted that the guide is a good compilation of Physical Security knowledge and is meant for registered entities that do not have a mature Physical Security Plan. He also informed attendees to keep an eye out for a final version of this document to be posted on the E-ISAC website in the near future. 10. EMS/SCADA/Control Center Security Update a. Ukraine December 2016. MRO SAC Member Tyler Stinson provided an overview of the second Ukraine incident that occurred in December 2016. This attack was the first successful large scale attack on a utility system. He stated that a lot of analysis has been done and information shared on this event. Stinson also stated that he questions what can be done to prevent this type of attack and whether it can be prevented. In addition, he thinks more time should be spent on improving resiliency after an attack. CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 8 Page 12. Other Business Interim Chair Mike Kraft asked the council if there were any other items that need to be discussed. No comments were provided by the council. 13. Adjourn Having no further business to discuss, the meeting was adjourned at 3:24 p.m. Prepared by: Jennifer Matz, Council Secretary Your signature represents independent verification that what the minutes say happened, did actually happen. Reviewed and Submitted by: Richard Burt, Vice President of Risk Assessment, Mitigation and Standards CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 9 Page Exhibit A Meeting Attendees Committee Members Present Name Mike Kraft, Interim Chair Tim Anderson, Interim Vice Chair Stephen Brown Mark Gabel John Hochevar Jodi Jensen Brian Kollmansberger Warren LaPlante Tyler Stinson MRO Staff Name Richard Burt Steen Fjalstad Brian Kinstad Jennifer Matz William Steiner Miggie Cramblit (Teleconference) Guests In Person: Name Marc Child Mike Christianson Bob Griffith Tom Hofstetter Jenifer Holmes Christopher Lahr Elizabeth Mairs Kevin O Grady Richard Teegarden Guests on Teleconference: Ron Bender Derek Cherneski Paul Crist Alexander D Ambrosio Tony Eddleman James Gulak Nathan Helder Randy Wagner Chuck Woods Mark Lucas Erik Weinmeister Organization Basin Electric Power Cooperative Dairyland Power Cooperative Xcel Energy MISO (via WebEx) American Transmission Company Western Area Power Administration Alliant Energy Minnesota Power (ALLETE, Inc.) Xcel Energy Title Vice President of Risk Assessment, Mitigation and Standards Security and Mitigation Principal Risk Assessment and Mitigation Engineer Risk Assessment and Mitigation Administrator Risk Assessment and Mitigation Principal Vice President, General Counsel, Corporate Secretary and Director of External Affairs Organization Great River Energy U.S. Department of Homeland Security Otter Tail Power Company North American Electric Reliability Corporation Alliant Energy Great River Energy Xcel Energy Minnesota Public Utilities Commission Dakota Electric Association Nebraska Public Power District Saskatchewan Power Corporation Lincoln Electric System Central Power Electric Cooperative Nebraska Public Power District Public Safety Canada Prairie/NWT Region SK Office ALLETE, Inc. Basin Electric Power Cooperative MidAmerican Energy Company Great River Energy Nebraska Public Power District CLARITY ASSURANCE RESULTS
Draft Minutes of the MRO Security Advisory Council Meeting February 2, 2017 10 Page Colleen Wachowski Scott Stoner Beth Gannett Brandi Feldman John Collins Doug Johnson Dustin Erhardt Fred Hintermister Orlando Stevenson Tony Aukland ITC Midwest Nebraska Public Power District E-ISAC Nebraska Public Power District FoxGuard American Transmission Company Basin Electric Power Cooperative E-ISAC E-ISAC NDSLIC CLARITY ASSURANCE RESULTS
AGENDA 3 - MRO Staff Report AGENDA 3 MRO Staff Report a. Staff Transitions b. Communication from other MRO Organizational Groups Steen Fjalstad, MRO Security and Mitigation Principal Steen Fjalstad will provide an oral report to attendees at the meeting. CLARITY ASSURANCE RESULTS
AGENDA 4 - Chair s Report AGENDA 4 Chair s Report a. Mailing Lists b. Web Sites (MRO SAC Collaboration Portal and MRO SAC Page) c. Conducting business between meetings (e.g. MRO Sponsored Training) d. MRO SAC Member terms Date: May 4, 2017 Mike Kraft, MRO SAC Chair To: From: Subject: Action: MRO Security Advisory Council Members Mike Kraft, MRO Security Advisory Council Chair Chair s Report Discussion and Action Dear MRO Security Advisory Council Members: Since the February 2017 meeting, several key building blocks for the MRO Security Advisory Council have been put into place. I present them here for discussion and one item for action. Mailing lists Three mailing lists are being maintained for MRO SAC communication purposes. List [mrosac] Short Description A new list consisting of the core MRO SAC members to communicate MRO SAC related items. [mrosac-plus] [mro-cipc-contacts] A new list consisting of interested entity participants to communicate MRO SAC related items. An existing list targeting MRO Region Security Contacts. Used for reporting NERC CIPC information and receiving feedback from entities. Web Sites (MRO SAC Collaboration Portal and MRO SAC Page) Two web portals are available for the MRO SAC. The first is a private MRO SAC Collaboration Portal which is available to the core MRO SAC Members and MRO support staff. The second is available publicly through the MRO website on the MRO SAC Page. The MRO SAC Page contains the Roster, Charter and links to other pertinent MRO SAC documents. CLARITY ASSURANCE RESULTS
AGENDA 4 Goals and Objectives for 2017 (Part I) Conducting business between meetings (e.g. MRO Sponsored Training) At the February 2017 meeting, it was mentioned the MRO SAC needs a mechanism to deal with business that comes up between meetings. The process followed for the MRO Sponsored Training was (1) an MRO SAC member made a proposal; (2) The MRO SAC Chair determined it was time sensitive; (3) an email was sent to MRO SAC members with the proposal asking for comments; (4) an email vote was called for [Yes, No, Abstain]; (5) the results were emailed to the MRO SAC members; (6) the topic was added to the next regularly scheduled meeting as an agenda item for full reporting. Action Item: Endorsement of the process to conduct MRO SAC business between meetings. (1) MRO SAC member makes a proposal to the MRO SAC Chair; (2) MRO SAC Chair determines if time sensitive; (3) Email is sent to MRO SAC members with the proposal asking for comments; (4) Email vote is called for [Yes, No, Abstain]; (5) Results are emailed to the MRO SAC members; (6) Topic added to the next scheduled meeting as an agenda item for full reporting. MRO SAC Member terms With the start of the MRO SAC, came staggered terms. The current roster and terms dates can be found on the MRO Web Site. Three MRO SAC positions will be expiring on December 31, 2017. The incumbents are able to be reappointed. The MRO SAC should discuss the timing and mechanism for making a recommendation to the MRO Board of Directors regarding MRO SAC Members. CLARITY ASSURANCE RESULTS
AGENDA 5 - Work Plan Review and Update AGENDA 5 Work Plan Review and Update MRO SAC Members Mike Kraft will lead this discussion at the meeting. Provided below is the updated 2017 Work Plan. CLARITY ASSURANCE RESULTS
MRO Security Advisory Council 2017 Work Plan Last Updated: 02/02/17 Comment: Defined deliverables, and determined assignments ID Item Status Description Deliverable Soft Deadline Hard Deadline Sponsor SAC Member Volunteer(s) Cybersecurity Physical Security Control System Comments Last Updated 2017-01-1 SAC Meeting Active Webconference. Meeting 01/19/17 All X X X 02/02/17 2017-01-2 SAC Meeting Active In person meeting. Meeting 01/26/17 02/02/17 All X X X 02/02/17 2017-01-3 SAC Meeting Active Webconference. Meeting 05/02/17 05/09/17 All X X X 02/02/17 2017-01-4 SAC Meeting Active Webconference. Meeting 07/25/17 08/01/17 All X X X 02/02/17 2017-01-5 SAC Meeting Active In person meeting w/mro Sec Meeting 09/22/17 09/29/17 All X X X Hold concurrent with MRO 02/02/17 Con. Sec Con. 2017-01-6 SAC Meeting Active Annual review/planning meeting. Webconference. Closed. Meeting 11/29/17 12/06/17 All X X X Hold after MRO BoD meeting. 02/02/17 2017-02-1 MRO Board Report Active Q1 Report 02/20/17 03/16/17 Mike Kraft X X X 02/02/17 2017-02-2 MRO Board Report Active Q2 Report 05/24/17 06/22/17 Mike Kraft X X X 02/02/17 2017-02-3 MRO Board Report Active Q3 Report 08/21/17 09/14/17 Mike Kraft X X X 02/02/17 2017-02-4 MRO Board Report Active Q4 Report 10/30/17 11/30/17 Mike Kraft X X X 02/02/17 2017-03-1 MRO Board Annual Report Active Annual Report to Board. Report 11/01/17 11/08/17 Mike Kraft, X X X 02/02/17 Stephen Brown 2017-03-2 Annual Review Active Annual Review of Charter, Report 10/15/17 11/01/17 All X X X 02/02/17 overall purpose and Key Objectives 2017-03-3 SAC Stakeholder Survey Active Survey to determine effectiveness. 02/02/17 Report 10/01/17 10/01/17 John Hochevar, Brian Kollmansberger X X X Metric for success. Are we providing value. Hard deadline for responses 10/15/17 2017-04-1 Reliability Matters Article Active Mar/Apr Article 02/17/17 02/27/17 Tim Anderson X X X 02/02/17 2017-04-2 Reliability Matters Article Pending May/Jun Article 04/21/17 04/28/17 Stephan Brown X 02/02/17 2017-04-3 Reliability Matters Article Pending Jul/Aug Article 06/23/17 06/30/17 Jodi Jensen X 02/02/17 2017-04-4 Reliability Matters Article Pending Sep/Oct Article 08/25/17 09/01/17 Tyler Stinson X 02/02/17 2017-04-5 Reliability Matters Article Pending Nov/Dec Article 11/22/17 12/01/17 Warren LaPlante X 02/02/17 2017-05-1 MRO Sec Con 2017 Active MRO Sec Con event Conference 09/28/17 MRO Brian Kollmansberger, John Hochevar, Mike Kraft Marc Child, Paul Crist, Damon Ounsworth, Tony Rowan X X X 02/02/17 2017-05-2 MRO Sec Con 2017 Active Planning meeting. Meeting 03/01/17 X X X 02/02/17 2017-05-3 MRO Sec Con 2017 Active Planning meeting. Meeting 04/01/17 X X X 02/02/17 2017-05-7 MRO Sec Con 2017 Active Speaker orientation Meeting 07/01/17 X X X 02/02/17 2017-05-8 MRO Sec Con 2017 Active Speaker orientation Meeting 09/22/17 X X X 02/02/17 2017-06-1 NERC CIPC Report Active Q1 Report to Entities Meeting 03/09/17 03/10/17 MRO Reps on NERC CIPC 2017-06-2 NERC CIPC Report Active Q2 Report to Entities Meeting 06/08/17 06/09/17 MRO Reps on NERC CIPC 2017-06-3 NERC CIPC Report Pending Q3 Report to Entities Meeting 09/07/17 09/08/17 MRO Reps on NERC CIPC 2017-06-4 NERC CIPC Report Pending Q4 Report to Entities Meeting 12/14/17 12/15/17 MRO Reps on NERC CIPC 2017-06-5 NERC CIPC Report to BoD Active Q1 Report to MRO Board Report 02/20/17 03/16/17 MRO Reps on NERC CIPC 2017-06-6 NERC CIPC Report to BoD Pending Q2 Report to MRO Board Report 05/24/17 06/22/17 MRO Reps on NERC CIPC 2017-06-7 NERC CIPC Report to BoD Pending Q3 Report to MRO Board Report 08/21/17 09/14/17 MRO Reps on NERC CIPC 2017-06-8 NERC CIPC Report to BoD Pending Q4 Report to MRO Board Report 10/30/17 11/30/17 MRO Reps on NERC CIPC John Hochevar Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth Marc Child, Paul Crist, Damon Ounsworth X X X 02/02/17 John Hochevar John Hochevar John Hochevar X X X 02/02/17 X X X 02/02/17 X X X 02/02/17 2017-06-9 MRO SAC Report to NERC CIPC Active MRO SAC report to NERC CIPC. Report 02/22/17 03/08/17 MRO Reps on NERC CIPC Mike Kraft Mike Kraft Mike Kraft Mike Kraft Mike Kraft X X X 02/02/17 X X X 02/02/17 X X X 02/02/17 X X X 02/02/17 X X X 02/02/17 Approved by the MRO Board: TBD 1
MRO Security Advisory Council 2017 Work Plan ID Item Status Description Deliverable Soft Deadline Hard Deadline Sponsor SAC Member Volunteer(s) Cybersecurity Physical Security Control System Comments Last Updated 2017-07-1 Webinar - Topic 1 Planning Pending DHS Infrastructure Survey Webinar 08/01/17 09/01/17 Warren LaPlante MN DHS PSA X 02/02/17 Tool 2017-07-2 Webinar - Topic 2 Planning Pending Threat Intel 101 Webinar 05/01/17 06/01/17 John Hochevar, Marc Child X X 02/02/17 Stephen Brown, Mark Gabel 2017-07-3 Webinar - Topic 3 Planning Pending Ukraine Review and Action Webinar 06/01/17 07/01/17 Tyler Stinson, Jodi X 02/02/17 Jensen 2017-07-4 Webinar - Topic 4 Planning Pending GridEx IV Overview and Preparation Webinar 05/01/17 05/15/17 Brian Kollmansberger, Mark Gabel, Stephen Brown Paul Crist, Elizabeth Mairs X X X 02/02/17 2017-08-1 Region Security Contacts Active Develop MRO Region Security Contacts Document 07/15/17 08/01/17 Warren LaPlante X X X 02/02/17 Approved by the MRO Board: TBD 2
AGENDA 6 - MRO Representatives on the NERC CIPC AGENDA 6 MRO Representatives on the NERC CIPC a. NERC CIPC Report Marc Child, MRO Representative and Chair of the NERC CIPC Marc Child will provide a NERC CIPC update to meeting attendees at the meeting. His presentation is provided below. CLARITY ASSURANCE RESULTS
AGENDA 6-MRO Representatives on the NERC CIPC CLARITY ASSURANCE RESULTS
AGENDA 6-MRO Representatives on the NERC CIPC CLARITY ASSURANCE RESULTS
AGENDA 6-MRO Representatives on the NERC CIPC CLARITY ASSURANCE RESULTS
AGENDA 6-MRO Representatives on the NERC CIPC CLARITY ASSURANCE RESULTS
AGENDA 6-MRO Representatives on the NERC CIPC AGENDA 6 MRO Representatives on the NERC CIPC b. MRO Representation on the NERC CIPC Mike Kraft, MRO SAC Chair and Alternate MRO Representative on the NERC CIPC Purpose: The mission of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Committee (CIPC) is to advance the physical and cyber security of the critical electricity infrastructure of North America; and, serve as an expert advisory panel to the NERC Board of Trustees and standing committees in the security areas for physical, cyber, operations, compliance and policy matters. Membership: The Board of Directors will appoint, based on the MRO SAC recommendations, three voting and three alternate members with expertise in three technical areas physical security, cyber security, and operations as defined below: a. Physical Security Members are primarily focused on protection of electricity sector facilities. Members should have a background in corporate or physical security at an asset owner utility, ISO or RTO. b. Cyber Security Members are technical experts in one or more areas of control systems security, information security, or systems architecture and design that affect the reliable operation of the Bulk Electric System. c. Operations Members are primarily focused on system operations. Members should have a background in SCADA, EMS, substation or generating plant control equipment operation and administration. Voting Members Expectations: 1. Bring subject matter expertise to the CIPC; 2. Be knowledgeable about physical and cyber security practices and challenges in the electricity sector; 3. Attend and participate in all CIPC meetings; 4. Express their own opinions at committee meetings but also represent the interests of their Regions; 5. Discuss and debate interests rather than positions; 6. Chair or co-chair a CIPC Work Group or Task Force at least once within a two-year term 7. Complete assigned Committee, Task Force, and Working Group assignments; and, 8. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance. 9. Act as a conduit of information back to the MRO constituents. CLARITY ASSURANCE RESULTS
AGENDA 6-MRO Representatives on the NERC CIPC Alternate Members Expectations: 1. Participate as a non-voting alternate in at least 1 CIPC meeting per year. 2. Be available to act as a proxy when primary CIPC representative is unavailable. 3. Participate in a CIPC Work Group or Task Force at least once within a two-year term. 4. Maintain, at a minimum, a Secret Clearance, or to the extent not already obtained, apply for a Secret Clearance. 5. Act as a conduit of information back to the MRO constituents. NERC CIPC website CLARITY ASSURANCE RESULTS
AGENDA 6 - MRO Representatives on the NERC CIPC AGENDA 6 MRO Representatives on the NERC CIPC c. Term Limits for members of NERC Committees Mike Kraft MRO SAC Chair and Alternate MRO Representative on the NERC CIPC Date: May 9, 2017 To: From: Subject: Action: MRO Security Advisory Council Members Mike Kraft, MRO Security Advisory Council Chair Term Limits for members of NERC Committees None - Information Dear MRO Security Advisory Council Members: The MRO stakeholders serving as NERC Representatives on NERC organizational groups (committees, subcommittees, task forces etc.) have served for an indefinite period of time. MRO has established a three-year term limit for MRO NERC Representatives in Policy and Procedure 3 (see page 7) and is requesting we implement those term limits specific to the MRO Representatives on the NERC Critical Infrastructure Protection Committee (CIPC). A listing of the MRO Representatives on NERC Committees can be found on the MRO Website. Rather than have all six (three primary and 3 alternate) MRO NERC CIPC Representatives terms end on December 31, 2017, I would recommend working with the current CIPC Representatives to establish a staggered schedule to ensure continuity. The schedule would propose the terms for the various representative positions: Voting Representatives NERC CIPC - Cyber Security NERC CIPC - Physical Security NERC CIPC - Operations Security The terms would end at the end of the calendar year: Staggered Terms ending December 31, 2017 December 31, 2018 December 31, 2019 Alternate Voting Representatives NERC CIPC - Cyber Security NERC CIPC - Physical Security NERC CIPC - Operations Security An Action on a proposed term schedule could occur at either the August 1, 2017 or September 29, 2017 MRO Security Advisory Council meetings. CLARITY ASSURANCE RESULTS
AGENDA 6-MRO Representatives on the NERC CIPC AGENDA 6 MRO Representatives on the NERC CIPC d. Alternate NERC CIPC Representative with Operations expertise Mike Kraft MRO SAC Chair and Alternate MRO Representative on the NERC CIPC Mike Kraft will lead this discussion at the meeting. CLARITY ASSURANCE RESULTS
AGENDA 7 MRO Security Conference Update AGENDA 7 MRO Security Conference Update a. SAC Sponsored Training John Hochevar, MRO SAC Member John Hochevar will provide an oral report to attendees at the meeting CLARITY ASSURANCE RESULTS
AGENDA 7 MRO Security Conference Update AGENDA 7 MRO Security Conference Update b. Pre-Conference and Conference Agenda Steen Fjalstad, MRO Security and Mitigation Principal Steen Fjalstad will lead this discussion at the meeting. CLARITY ASSURANCE RESULTS
AGENDA 8 Cybersecurity Update AGENDA 8 Cybersecurity Update a. MRO Region Security Risk Assessment MRO SAC Members Mike Kraft will lead this discussion at the meeting. CLARITY ASSURANCE RESULTS
AGENDA 9 Physical Security Update AGENDA 9 Physical Security Update Warren LaPlante, MRO SAC Member Warren LaPlante will lead this discussion at the meeting. CLARITY ASSURANCE RESULTS
AGENDA 10 EMS/SCADA/Control Center Security Update AGENDA 10 EMS/SCADA/Control Center Security Update a. Takeaways from April 2017 ICSJWG Meeting Jodi Jensen, MRO SAC Chair Jodi Jensen will provide an EMS/SCADA/Control Center Security update to meeting attendees at the meeting. Her presentation is provided below. CLARITY ASSURANCE RESULTS
ICSJWG Meeting Jodi Jensen May 9, 2017 MRO SAC Meeting WebEx Subject, Office or event
Why Did I Attend? New Role Senior SCADA Specialist SCADA Cyber Security Resilient SCADA Architecture Subject, ICSJWG Meeting Office or event 2
What is ICSJWG? Industrial Control Systems Joint Working Group Department of Homeland Security Share Information about Cyber Security for Critical Infrastructure Sectors include: Oil and Gas, Nuclear, Electric Grid, Water Systems, Industrial Subject, ICSJWG Meeting Office or event 3
Topic Threat Landscape VirusTotal - Uptick in ICS Malware PE Infector - Adds code to a legit binary executable and executes itself Downloader that named itself Siemens 2013 Malware in training manuals Subject, ICSJWG Meeting Office or event 4
Topic Cyber Informed Engineering Idaho Labs Engineer out risk during design phase May involve incorporating manual/human components Establish IT/OT Liaison Subject, ICSJWG Meeting Office or event 5
Topic Ransomware -Biggest Threat to the Power Grid PLCs have Linux 2.6.x Vulnerabilities Linux Variants > 200 Killdisk Remote Access is a Risk Mitigation Application Whitelisting 3 to 4 years out Subject, ICSJWG Meeting Office or event 6
Topic Ransomware -Demo Water System Hacked Leveraged Remote Access PLCs talk to each other PLC is recoded to scan all connected PLCs Reprogram other PLCs Three vendor PLCs hacked in Demo Mitigation Network Segmentation; Monitoring; Manage Remote Access Subject, ICSJWG Meeting Office or event 7
Topic Threatcasting Look out 25 years and imagine the threat environment Key take-aways Efficiency is easy to hack Complexity of Automated Systems leads to Vulnerabilities Subject, ICSJWG Meeting Office or event 8
Topic Cyber Expert Panel Takeaways Prioritize Data Separate Corporate from ICS Unidirectional Gateways Subject, ICSJWG Meeting Office or event 9
Topic Active Directory Vulnerabilities Pass the Hash Vulnerability Credential Theft Keys to the kingdom Once Stolen difficult to detect Look for unusual times and places credentials are used Applications, Services, and Backups requiring Domain Admin Mitigation: Remove Trusted for delegation Subject, ICSJWG Meeting Office or event 10
Topic Active Directory Vulnerabilities - DMZ Credentials are exposed Not Recommended: 2 way trust where DMZ login is on corporate network DMZ servers are members of ICS Domain Adding an ICS Trust Recommendations: Disable Admin accounts when not used Separate Group enables Admin Accounts Dedicate management machines for each tier. No sharing Credentials Subject, ICSJWG Meeting Office or event 11
Topic Final Thoughts Initiatives to reduce complexity and associated vulnerabilities in ICS Case for Simplicity in Energy Infrastructure Referenced at recent Congressional Hearing on Cyber Security Authors: Andy Bochman Security Strategist at Idaho Labs Tim Roxey VP of Cyber Security at NERC Michael Assante Lead for SANS ICS Disable connections when not being used VLANS offer no security benefit Subject, ICSJWG Meeting Office or event 12
AGENDA 11 Partner Updates AGENDA 11 Partner Updates Mike Kraft MRO SAC Chair Proposed List of Partners: a. E-ISAC b. Mid-Continent Compliance Forum (MCCF) - CIP Working Group c. Government Partners - FBI, DHS, ICS-CERT, Public Safety Canada, RCMP (DHS Report is provided below) d. State Fusion Centers e. State PUCs f. Trade Organizations g. Industry Mike Kraft will lead the discussion on this agenda item. Presentation is provided below. CLARITY ASSURANCE RESULTS
9 May 2017 DHS Cyber Resources Overview Harley D. Rinerson Cyber Security Advisor, Region VIII Office of Cybersecurity and Communications (CS&C) National Protection and Programs Directorate (NPPD) U.S. Department of Homeland Security
Agenda Cyber Security Advisor Program DHS Cyber Service Offerings Incident Response Homeland Security 2
CSA Program Mission To provide direct coordination, outreach, and regional support in order to protect cyber components essential to the sustainability, preparedness, and protection of the Nation s Critical Infrastructure and Key Resources (CIKR) and State, Local, Territorial, and Tribal (SLTT) governments. Cyber Security Advisor (CSA) Program in recognition that a regional and national focused is essential to protect critical infrastructure. cyber security presence CSAs represent a front line approach and promote resilience of key cyber infrastructures throughout the U.S. and its territories. Homeland Security 3
CSA Program Activities CSAs support four key DHS goals: Cyber Preparedness Risk Mitigation Incident & Information Coordination Cyber Policy Promotion & Situational Awareness CSAs primarily facilitate three assessments: Cyber Resilience Reviews (CRR) Cyber Infrastructure Surveys (C-IST) External Dependency Reviews (EDM) CSAs participate in local / regional cyber working groups, mostly organized by Federal and state partners Homeland Security 4
Cyber Security Advisors Harley Rinerson harley.rinerson@hq.dhs.gov Region VIII Tony Enriquez antonio.enriquez@dhs.gov Region V Vacant Expected CSA Mid CY17 Region I Region X Vacant Selection Made / Expected CSA LateCY16 Rich Richard richard.richard@hq.dhs.gov Vacant Selection Made / Expected CSA EarlyCY17 Billet Closed (10/22/15) Expected CSA Late 16 Region VII Region II Region IX Region III Vacant Selection Made / ExpectedCSA Mid CY17 Deron McElroy W. US Supervisory CSA deron.t.mcelroy@hq.dhs.gov Chad Adams chad.adams@hq.dhs.gov Region VI George Reeves george.reeves@hq.dhs.gov Region IV Bradford Willke Chief of Field Operations / E. US Supervisory CSA bradford.willke@hq.dhs.gov Klint Walker klint.walker@hq.dhs.gov CSA s Office
DHS Service Offerings Homeland Security 6
Protected Critical Infrastructure Information Program The Protected Critical Infrastructure Information (PCII) program protects infrastructure information voluntarily shared with DHS to be used for homeland security purposes. The PCII program was created by Congress in the Critical Infrastructure Information Act of 2002, ensuring that PCII in the government s hands is protected from disclosure PCII cannot: Be disclosed through a Freedom of Information Act (FOIA) request or through a request under a similar State, local, tribal, or territorial disclosure law; Be disclosed in Civil Litigation; or Be used for Regulatory Purposes. PCII may only be used by a Federal, State, local, tribal, or territorial government employee or contractor who: Has taken PCII training; Has homeland security duties; and Has a valid need to know that particular information. CRR, EDM, and C-IST are currently protected under the PCII program Homeland Security
Cyber Security Evaluations: Overviews - CYBER RESILIENCE REVIEW (CRR) [CSA] - EXTERNAL DEPENDENCIES MANAGEMENT (EDM) ASSESSMENT [CSA] - CYBER INFRASTRUCTURE SURVEY TOOL (C-IST) [CSA] - CYBERSECURITY EVALUATIONS TOOL (CSET) [ICS-CERT] - ICS DESIGN ARCHITECTURAL REVIEW (DAR) [ICS-CERT] -CYBER HYGIENE (CyHy) [NCATS] -ICS NETWORK ARCHITECTURAL VERIFICATION & VALIDATION (NAVV) [ICS-CERT] - RISK AND VULNERABILITY ASSESSMENT (RVA) [NCATS] STRATEGIC (HIGH-LEVEL) TECHNICAL (LOW-LEVEL) Homeland Security 8
DHS Evaluations Summary Name Cyber Resilience Review (CRR) Cyber Infrastructure Survey Tool (C-IST) External Dependency Management (EDM) Assessment Onsite Cyber Security Evaluation Tool (CSET) Assessment Purpose and Value Proposition Identify cyber security management capabilities and maturity To calculate a comparative analysis and valuation of protective measures inplace To assess the activities and practices utilized by an organization to manage risks arising from external dependencies. Provides a detailed, effective, and repeatable methodology for assessing control systems security while encompassing an organization s infrastructure, policies, and procedures Scope Critical Service view Critical Cyber Service view Critical Service view Industrial Control Systems Time to Execute 5 to 6 Hours 2 ½ to 4 Hours 4 Hours 8 Hours (1 Business Day) Information Sought Capabilities and maturity indicators in 10 security domains Protective measures in-place Capabilities and maturity indicators across third party relationship management lifecycle domains Industrial control system s core functions, infrastructure, policies, and procedures Preparation Short, 1-hour questionnaire plus planning calls Planning call to scope evaluation Planning call to scope evaluation Coordinated via Email. Planning calls if requested Participants IT/Security Manager, Continuity Planner, and Incident Responders IT/Security Manager IT / Security Manager with Contract Management Control system operators/ engineers, IT, policy/ management personnel, and subject matter experts Delivery By SECIR/Stakeholder Risk Assessment & Mitigation SECIR/Stakeholder Risk Assessment & Mitigation SECIR/Stakeholder Risk Assessment & Mitigation NCCIC/ICS-CERT Homeland Security 9
DHS Evaluations Summary Name ICS-CERT Design Architecture Review (DAR) ICS Network Architecture Verification and Validation (NAVV) Network Risk and Vulnerability Assessment (RVA) Cyber Hygiene (CH) Evaluation Purpose Supports the cybersecurity design via investigative analysis, production, and maintenance of control systems and ICS components Provides analysis and base- lining of ICS communication flows, based upon a passive (nonintrusive) collection of TCP Header Data Perform penetration testing and security services to identify risks and vulnerabilities within IT systems, networks and applications Identify public-facing Internet security risks, through service enumeration and vulnerability scanning Scope Industrial Control Systems/ Network Architecture Industrial Control Systems/ Network Architecture/ Network Traffic Organization / Business Unit / Network-Based IT Service Public-Facing, Network-Based IT Service Time to Execute 2 Days (8 Hours Each Day) Variable (Hours to Days) Variable (Days to Weeks) Variable (Hours to Continuous) Information Sought Network design, configurations, interdependencies, and its applications Network traffic header-data to be analyzed with Sophia Tool Network, Database, Application scope and/or access to be tested with various security tools Network service and vulnerability information Preparation Coordinated via Email. Planning calls Coordinated via Email. Planning calls Formal rules of engagement and extensive pre-planning Formal rules of engagement and extensive pre-planning Participants Control system operators/ engineers, IT personnel, and ICS network, architecture, and topologies SMEs Control system operators/ engineers, IT personnel, and ICS network, architecture, and topologies SMEs IT/Security Manager and Network Administrators IT/Security Manager and Network Administrators Delivered By NCCIC/ICS-CERT NCCIC/ICS-CERT NCCIC/NCATS NCCIC/NCATS Homeland Security 10
National Cybersecurity Protection Act of 2014 Department of Homeland Security (DHS) in coordination with appropriate entities and individuals, develop, regularly update, maintain, and exercise adaptable cyber incident response plans to address cybersecurity risks to critical infrastructure. PPD 41 National Cyber Incident Response Plan (NCIRP) Sets forth principles governing the Federal Government s response to any cyber incident, provides an architecture for coordinating the response to significant cyber incidents, and requires DHS to develop a National Cyber Incident Response Plan (NCIRP) to address cybersecurity risks to critical infrastructure Establishes the strategic framework and doctrine for a whole community approach to mitigating, responding to, and recovering from a cyber incident Homeland Security 11
Presidential Policy Directive 41 Lines of Effort Threat Response Conducted by appropriate law enforcement and national security investigative activities; collecting evidence and gathering intelligence; linking related incidents; identifying threat pursuit and disruption opportunities; and facilitating information sharing and operational coordination with asset response. Asset Response Providing technical assistance to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents; assessing potential risks to the sector or region, including potential cascading effects, and facilitating information sharing and coordination; and providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery. Homeland Security 12
NCCIC in Brief Responsibilities include: The mission of the National Cybersecurity and Communications Integration Center (NCCIC) is to serve as a national center for reporting of and mitigating communications and cybersecurity incidents. Provide alerts, warnings, common operating picture on cyber and communications incidents in real time to virtual and on-site partners Work 24X7 with partners to mitigate incidents: http://www.dhs.gov/about-nationalcybersecurity-communications-integrationcenter On-site partners include the Department of Defense, Federal Bureau of Investigation, Secret Service, Information Sharing and Analysis Centers (ISACs) and DHS components such as Office of Industry and Analysis Public and private sector partners share and receive information subject to information sharing protocols Homeland Security 13
Incident Reporting NCCIC provides real-time threat analysis and incident reporting capabilities 24x7 contact number: 1-888-282-0870; https://forms.us-cert.gov/report/ When to Report: If there is a suspected or confirmed cyber attack or incident that: Affects core government or critical infrastructure functions; Results in the loss of data, system availability; or control of systems; Indicates malicious software is present on critical systems Malware Submission Process: Please send all submissions to the Advance Malware Analysis Center (AMAC) at: submit@malware.us-cert.gov Must be provided in password-protected zip files using password infected Web-submission: https://malware.us-cert.gov Homeland Security 14
Contact Information Harley Rinerson Cyber Security Advisor Region VIII General Inquiries cyberadvisor@hq.dhs.gov Contact Information harley.rinerson@hq.dhs.gov Department of Homeland Security National Protection and Programs Directorate Office of Cybersecurity and Communications