Supply Chain Risk ManagementHoward Gugel, Senior Director of Standards and EducationMember Representatives Committee MeetingAugust 9, 2017

RELIABILITY | ACCOUNTABILITY2

• Background FERC issued Order No. 829 on July 21, 2016 Standard must be filed by September 2017

• Status Final ballot ended July 20, 2017o CIP-013-1 – 84.2%o CIP-005-6 – 88.8%o CIP-010-3 – 81.4%

Present at August Board of Trustees meeting FERC filing deadline of September 27, 2017

Cyber Security Supply Chain Standard

RELIABILITY | ACCOUNTABILITY3

[the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.

- Order No. 829, July 2016

FERC Order No. 829

RELIABILITY | ACCOUNTABILITY4

• High and medium impact Bulk Electric System (BES) Cyber Systems

• No requirements for low impact BES Cyber Systems • NERC committed to addressing risks appropriately Identify best practices Develop guidance resources Support common understanding of compliance obligations

Focus

RELIABILITY | ACCOUNTABILITY5

• R1 requires entities to develop supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems Planning processes to identify and assess cyber security risks from vendor

equipment and software; Procurement processes to address specific cyber security risks

• R2 requires entities to implement the plan• R3 requires periodic review and approval of the plan

CIP-013-1 Requirements Summary

RELIABILITY | ACCOUNTABILITY6

• Standard Drafting Team developed Implementation Guidance to provide examples of approaches for complying with CIP-013-1

• This Implementation Guidance has been endorsed by the ERO per NERC’s Compliance Guidance Policy

CIP-013-1 Implementation Guidance

RELIABILITY | ACCOUNTABILITY7

• Added operational requirements for vendor remote access• Address risks from compromised vendor remote access Part 2.4 – Determining active vendor remote access sessions Part 2.5 – Ability to disable active vendor remote access

CIP-005-6 Modifications

RELIABILITY | ACCOUNTABILITY8

• Added operational requirements for software integrity and authenticity

• Address risks from compromised vendor software Part 1.6.1 – Verify the identity of the software source Part 1.6.2 – Verify the integrity of the software

CIP-010-3 Modifications

RELIABILITY | ACCOUNTABILITY9

• All requirements become effective 18 months following regulatory approval

Implementation Plan

RELIABILITY | ACCOUNTABILITY10

How should NERC support effective implementation?

Themes:• Additional implementation guidance• Communication through webinars• Vendors must be included• Consistent audit guidelines• Engage Critical Infrastructure Protection Committee

Question 1

RELIABILITY | ACCOUNTABILITY11

How should NERC evaluate effectiveness of the standards going forward?

Themes:• Allow implementation time prior to evaluation• Establish expert group for feedback on success• Engage technical committees in evaluation effort• Use E-ISAC to track incidents• Integrate supply chain compromise into GridEx exercise

Question 2

RELIABILITY | ACCOUNTABILITY12

What risks and related issues should NERC study, including risks related to low impact BES Cyber Systems not covered by the standards?

Themes:• Legacy support (including resellers)• Mapping to non-ERO standards• Low impact risks mitigated by implementation for medium and

high impact BES Cyber Systems • Review standards in other sectors

Question 3

RELIABILITY | ACCOUNTABILITY13

Are there actions NERC should take to address additional potential supply chain risks?

Themes:• Use webinars effectively• Facilitate secure reporting• Engage vendors and suppliers• Participate in cross-industry forums• Post and share lessons learned

Question 4

RELIABILITY | ACCOUNTABILITY14

• Leverage industry experience by forming an industry advisory group to support deployment

• ERO Enterprise auditor training• Industry webinars and workshops• Vendors outreach on controls• Engage Critical Infrastructure Protection Committee, forums,

and trades to develop additional Implementation Guidance• Evaluate effectiveness within two years of implementation• Keep efficiency and effectiveness a priority

Standards Deployment Activities

RELIABILITY | ACCOUNTABILITY15

• Technical committees to develop reliability guidelines• Form vendor/industry working groups on supply chain risks • Review supply chain risk practices in other industries and

communicate effective strategies• Ensure BES supply chain risks are addressed by product

manufacturing standards • Provide latest government intelligence to industry• Partner with Department of Energy’s Idaho National Laboratory

to test legacy and planned equipment on supply chain vulnerabilities

• E-ISAC will issue bulletins as supply chain risks are identified

Addressing Residual Risks

RELIABILITY | ACCOUNTABILITY16

ERO Enterprise Long-Term Strategy, Operating Plan, & 2018 MetricsMichael Walker, Senior Vice President and Chief Financial and Strategic Development OfficerMember Representatives Committee MeetingAugust 9, 2017

RELIABILITY | ACCOUNTABILITY2

• Development of Long-Term Strategy Opportunity to step back, recognize emerging risks and the changing bulk

power system (BPS) ecosystem Informs operational planning—ensure nothing big is overlooked Initiative supported by NERC and Regional Entity boards

• ERO Enterprise Strategic Plan rebranded as Operating Plan Focuses on operations for a three-year horizon Incorporates recommendations from the Reliability Issues Steering

Committee’s (RISC’s) ERO Reliability Risk Priorities report (RISC report) Informs annual business plans and budgets

Background

RELIABILITY | ACCOUNTABILITY3

• First drafts posted for stakeholder review and comment: ERO Enterprise Long-Term Strategy ERO Enterprise Operating Plan 2018 ERO Enterprise Metrics

• Draft Long-Term Strategy reflects input from: March 2017 RISC Reliability Leadership Summit (RISC Summit) FERC Technical Conference NERC and Regional Entity board members ERO Enterprise senior leadership

• Updates to operating plan and metrics developed by ERO Enterprise senior leadership team

2017 Strategic and Operational Planning

RELIABILITY | ACCOUNTABILITY4

Strategic and Operational Planning Overview

RELIABILITY | ACCOUNTABILITY5

• Discusses emerging risks and potential reliability impacts• Recommends six long-term focus areas: Risk-based compliance, enforcement, and assessments Technical resources and capabilities Security Communication ERO Enterprise-wide operating effectiveness and efficiency International engagement

ERO Enterprise Long-Term Strategy

RELIABILITY | ACCOUNTABILITY6

• Guided by Long-Term Strategy • Changes from last approved version (formerly ERO Enterprise

Strategic Plan and Metrics): Refinement of vision, mission, and core principles Existing goals continued with addition of a goal focused on security Updates to contributing activities in support of Long-Term Strategy Addition of Regional Entity-specific contributing activities Removal of metrics as an appendix (now provided separately)

• Mapping to recommendations from the most recent RISC report will appear in future draft

ERO Enterprise Operating Plan

RELIABILITY | ACCOUNTABILITY7

• Vision: A highly reliable and secure North American bulk power system (BPS)

• Mission: To assure effective and efficient reduction of risks to the reliability and security of the BPS

• Core principles: Accountability Independence Inclusiveness and Transparency Innovation Excellence Integrity

ERO Enterprise Operating Plan

RELIABILITY | ACCOUNTABILITY8

• Goal 1: Risk-responsive Reliability Standards• Goal 2: Objective, risk-informed compliance monitoring,

mitigation, enforcement, and entity registration• Goal 3: Reduction of known reliability risks• Goal 4: Identification and assessment of emerging reliability

risks• Goal 5: Identification and reduction of cyber and physical

security risks• Goal 6: Effective and efficient ERO Enterprise Operations

ERO Enterprise Operating Plan

RELIABILITY | ACCOUNTABILITY9

• Continues focus of 2017 metrics with six metrics focused on BPS reliability and security and one metric focused on efficiency and effectiveness NERC and the Regional Entities also maintain additional internal metrics

governing individual, departmental, and corporate performance

• Notable changes from 2017 metrics: Removal of compliance severity index in Metric 5; now measures the

percentage of serious risk violations Removal of Metric 6 sub-metric related to cold weather Greater focus on ERO Enterprise efficiency and effectiveness in Metric 7 Historical data for each metric included

2018 ERO Enterprise Metrics

RELIABILITY | ACCOUNTABILITY10

• Metric 1: Fewer, less severe events• Metric 2: No gaps in Reliability Standards or compliance

monitoring• Metric 3: Any resource deficiencies are foreseen• Metric 4: No disruption to Bulk Electric System (BES) facilities

caused by unauthorized physical or electronic access• Metric 5: Reduced reliability risk from non-compliance

2018 ERO Enterprise Metrics

RELIABILITY | ACCOUNTABILITY11

• Metric 6: Reduced risks in targeted areasa. Misoperationsb. Automatic AC transmission outages caused by human errorc. Transmission outages due to AC substation equipment failure or failed

AC circuit equipmentd. Transmission line outages due to vegetation

• Metric 7: ERO Enterprise's efficiency and effectiveness a. Financial performanceb. Technology solutionsc. Effectiveness survey

2018 ERO Enterprise Metrics

RELIABILITY | ACCOUNTABILITY12

• Second drafts posted for review and comment in September• Final to NERC Board of Trustees for approval in November• Long-Term Strategy reviewed and updated as necessary (e.g.,

following RISC report updates)• Operating Plan reviewed periodically (e.g., every two to three

years) and updated as needed• Metrics reviewed and approved annually• Business plans and budgets continue to be reviewed and

approved annually

Path Forward

RELIABILITY | ACCOUNTABILITY13

Technical RationaleGuidelines and Technical Basis

Howard Gugel, Senior Director of Standards and EducationMember Representatives Committee MeetingAugust 9, 2017

RELIABILITY | ACCOUNTABILITY2

• Initially designed to support results based standards Contained an “information only” disclaimer Incorporated into standard development template Disclaimer paragraph was omitted

• Initiatives since inception Reliability Standard Audit Worksheets (RSAW) Risk-based Compliance Monitoring and Enforcement Program (CMEP) Compliance Guidance

• Confusion around application and status, in conjunction with new initiatives

Background of Guidelines and Technical Basis

RELIABILITY | ACCOUNTABILITY3

• Provides drafting teams a mechanism to: Explain the technical basis for Reliability Standard Provide technical guidance to help support effective application

• To further clarify Guidelines and Technical Basis NERC staff and Standards Committee (SC) leadership coordination Captured in Task 3 in SC Strategic Plan

Purpose

RELIABILITY | ACCOUNTABILITY4

• Transition existing Guidelines and Technical Basis to Technical Rationale

• A separate document to explain technical basis• Focus on understanding technology and technical requirements• No embedded compliance approaches or compliance guidance Appropriate use of NERC Compliance Guidance Policy

• NERC staff review for conformance

Summary of Technical Rationale

RELIABILITY | ACCOUNTABILITY5

• Develop Technical Rationale document – complete• SC endorsement – complete• Presentation to Board of Trustees and Member Representatives

Committee – complete • Implementation - Develop ERO guidance on existing Guidelines and Technical Basis and

future Technical Rationale (e.g. CMEP Practice Guide) – Q3 Review existing Guidelines and Technical Basis for possible Compliance

Guidance language – Q4 Transition existing Guidelines and Technical Basis to Technical Rationale –

2017 Q4 to 2018 Q3

Work Plan

RELIABILITY | ACCOUNTABILITY6

• Mandatory and enforceable components of Reliability Standards Applicability Requirements Effective dates

• Regulatory documents (mandatory and enforceable) ERO filing for approval Regulatory order in applicable jurisdiction

• Technical information (not mandatory and enforceable) Technical rationale (Guidelines and Technical basis) Whitepapers Reliability guidelines

Relevant Documents

RELIABILITY | ACCOUNTABILITY7

• Audit and Compliance (not mandatory and enforceable) RSAW Compliance Guidanceo Implementation Guidanceo CMEP Practice Guides

Relevant Documents

RELIABILITY | ACCOUNTABILITY8

1

Cyber Security Issues Update

Marcus Sachs, Senior Vice President and Chief Security OfficerMember Representatives Committee MeetingAugust 9, 2017

2

• Reputation damage Website defacement Phishing attack against customers, masquerading as a legitimate email

• Theft of intellectual property Employee or customer data (credit cards, passwords, etc.) Corporate intellectual property (plans, financials, blueprints, etc.)

• Ransomware Encrypts sensitive data then demands payment for decryption Might install persistent access for later use

• Direct manipulation of control systems Jumps the boundary between enterprise (IT) systems and plant (OT) systems Disruptive, not destructive

• Mechanical or logical damage Destructive to system components “Bricking” a computer or protective relay Aurora-style damage to generators via remote manipulation of breakers

Increasing Levels of Cyber Threats

3

Phishing Email

4

Infected Attachment

5

Ransomware

6

Control System Manipulation

7

• WannaCry ransomware• CrashOverride/Industroyer control systems malware• Petya (aka NotPetya) ransomware• Nuclear 17 investigation

Recent Significant Cyber Activities

8

• Cyber attack affected multiple global sectors on May 12, 2017• The attack spread quickly using a Microsoft exploit released in

April 2017 This exploit allowed the ransomware to infect unpatched machines

through the Windows Server Message Block (SMB) protocol Microsoft released guidance for defending against SMB attacks that

included protection for out-of-support products such as Windows XP and Server 2003

• Europol estimated that the attack hit at least 150 countries and infected 200,000 machines Hospitals, universities, manufacturers, and government agencies in Britain,

China, Russia, Germany, and Spain were impacted One of the reported victims was Iberdrola, an electricity company based in

the Basque region of Spain

WannaCry Ransomware

9

WannaCry Ransomware

Still spreading ten weeks later

10

WannaCry in a Control Center

11

• Investigation by two privatesector research companies Reports released on June 12, 2017

• Public Level 1 NERC alert released on June 13, 2017

• Reportedly used in Ukraine

Industroyer/CrashOverride

12

Wired Article – June 20, 2017

13

• Ukraine was the apparent target of the June 27, 2017 attack• Reports said that the Kiev metro system stopped accepting

payment cards, while several chains of gas stations suspended operations

• Ukraine's deputy prime minister tweeted a picture appearing to showwere impgovernment systemsacted His caption reads:

"Ta-daaa! Network is down at the Cabinet of Minister's secretariat."

(Not)Petya

14

• Advanced Persistent Threat (APT) adversary targeting multiple infrastructure sectors APT uses carefully written phishing emails APT alters legitimate websites to contain malicious code

• Purpose is not confirmed, but could be an attempt to harvest login credentials (user name / password)

• Guidance published by the E-ISAC and the U.S. Government E-ISAC analysis available on the portal for asset owners and operators Government analysis available through FBI’s InfraGard portal or DHS’

Homeland Security Information Network (HSIN) portal

• Media coverage began in late June

“Nuclear 17” Investigation

15