ebook img

Cybersecurity of North American Electric Grid.pdf (PDFy mirror) PDF

2.6 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cybersecurity of North American Electric Grid.pdf (PDFy mirror)

Energy & Infrastructure Program Energy Project National Security Program Homeland Security Project Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat A Report from the Co-chairs of the Bipartisan Policy Center’s Electric Grid Cybersecurity Initiative February 2014 DISCLAIMER The findings and recommendations expressed within this report are those of the co- chairs of the Bipartisan Policy Center’s Electric Grid Cybersecurity Initiative. While these findings and recommendations were informed by the discussion with the advisory group listed on page 1, they do not necessarily represent the views or opinions of advisory group members or the organizations they represent. Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat 1 Bipartisan Policy Center Electric Grid Cybersecurity Initiative Participants CO-CHAIRS General (Ret.) Michael Hayden Curt Hébert Susan Tierney Principal, The Chertoff Group; former Partner, Brunini, Grantham, Grower & Managing Principal, Analysis Group; Director, CIA; former Director, NSA Hewes, PLLC; former Chairman, FERC; former Assistant Secretary for former Chairman, Mississippi Public Policy, DOE; former commissioner, Service Commission Massachusetts Department of Public Utilities ADVISORY GROUP MEMBERS Scott Aaronson Paul Centolella James Sample Senior Director, National Security Vice President, Analysis Group; Chief Information Security Officer, Policy, Edison Electric Institute former commissioner, Public Utilities Pacific Gas and Electric Company Commission of Ohio Scott Baron Paul Stockton Director, Digital Risk and Security Roger Duncan Managing Director, Sonecon; former Governance, National Grid Research Fellow, Energy Institute, Assistant Secretary of Defense for University of Texas; former General Homeland Defense and Americas’ Jim Burpee Manager, Austin Energy Security Affairs President & CEO, Canadian Electricity Association Jessica Matlock Mark Weatherford Director, Government Relations, Principal, The Chertoff Group; Terry Boston Snohomish County Public Utility former Deputy Undersecretary for President & CEO, PJM Interconnection District Cybersecurity, DHS Robert Caldwell Jeff Nichols Chief Cyber Security Architect, General Director, Information Security and Electric Management, Sempra Energy Utilities 2 BPC ELECTRIC GRID CYBERSECURITY INITIATIVE STAFF Margot Anderson Meghan McGuinness Rosemarie Calabro Tully Executive Director, Energy Project Associate Director for Energy and Press Secretary, Energy Environment Joe Kruger Abbey Brandon Director for Energy and Environment Jason Burwen Press Assistant Senior Policy Analyst Carie Lemack Amanda Kaster Director, Homeland Security Project Blair Beasley Project Assistant Policy Analyst Blaise Misztal Acting Director, Foreign Policy Project ACKNOWLEDGEMENTS The Bipartisan Policy Center (BPC) would like to thank its funders for their strong support. We also thank advisory board members Paul Stockton of Sonecon, LLC, who drafted Chapter 5 of this report, and Paul Centolella of the Analysis Group who drafted portions of Chapters 2, 3, and 6. We are grateful for their expertise and contributions. We thank Doug Smith and Andrew Art of Van Ness Feldman, LLP for their invaluable input. We are grateful to Colleen Kelly, former policy analyst with the Energy Project, and Blake Harwood, former intern with the Homeland Security Project, for their work on the early stages of this project. In addition, we would like to thank NARUC and Commissioner Phillip Jones of the Washington Utilities and Transportation Commission for their helpful comments on a draft of this report. Special appreciation is also due to Marika Tatsutani for editing the report. Finally, we would like to acknowledge the following key staff or colleagues of advisory board members for the many contributions to this report: Patrick Brown, Director, U.S. Affairs, Canadian Electricity Association Chris Foster, Manager, Federal Government Relations, Pacific Gas and Electric Company Scott King, Information Security Manager, Sempra Energy Utilities Sean Mackay, Government Affairs, Sempra Energy Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat 3 Table of Contents List of Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Summary of Findings and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Standards and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Responding to a Cyber Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Paying for Electric Grid Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Conclusions and Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Chapter 2: The Existing Landscape for Electric Grid Cybersecurity Governance . . . . . . . . . . . . . . . . . 23 Executive Order 13636 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Federal Energy Regulatory Commission and North American Electric Reliability Corporation . . . . . . . . . . . . . . . . . . . . .24 Department of Energy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Department of Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 National Institute of Standards and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Recent Legislative Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 State Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Cybersecurity Governance in Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Public Safety Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Provincial Oversight of NERC Reliability Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Ongoing Electric Sector Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Chapter 3: Standards and Best Practices for Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Create Standards and Best Practices that Enable Effective Risk management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Bulk Power System: Key Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Distribution System: Key Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Complementing Existing Standards and Policies With a New Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Encouraging Participation in the Institute for Electric Grid Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Liability protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Cybersecurity insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 4 Table of Contents Improve Supply Chain Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Train a Cybersecurity Workforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Chapter 4: Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Address Legal Risks and Information Disclosure Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Potential Compliance Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Antitrust Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Protection of Proprietary or Confidential Business Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Information Sharing Liability Protections for Utilities Under CISPA and Executive Order 13636 . . . . . . . . . . . . . . . . . . . . . . . 49 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Increase Security Clearances and Access to Intelligence Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Support Information Sharing with International and State Counterparts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Support Information Sharing across Critical Infrastructure Sectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Chapter 5: Responding to a Cyber Attack on the North American Electric Grid . . . . . . . . . . . . . . . . . . 55 Understanding the Response Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 The National Response Framework (NRF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Interim National Cyber Incident Response Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Resolving Differences Between Response Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Chapter 6: Paying for Electric Grid Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Evaluating Cybersecurity Investments for Cost Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 “Public Good” Nature of Cybersecurity Investments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Chapter 7: Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat 5 List of Acronyms AFNG Air Force National Guard FERC Federal Energy Regulatory Commission AMI Advanced Metering Infrastructure GAO Government Accountability Office BPC Bipartisan Policy Center GCC Government Coordinating Council CCRIC Canadian Cyber Incident Response Centre GICSP Global Industrial Cyber Security Professional CEDS Cybersecurity for Energy Delivery Systems GRID Grid Reliability and Infrastructure Defense CIP Critical Infrastructure Protection GridEx Grid Security Exercise CISO Chief Information Security Officer GridSecCon Grid Security Conference CISPA Cyber Intelligence Sharing and Protection Act ICS-CERT Industrial Control Systems Cyber Emergency Response Team CRISP Cybersecurity Risk Information Sharing Program INPO Institute of Nuclear Power Operations DHS U.S. Department of Homeland Security ISAC Information Sharing and Analysis Center DOC U.S. Department of Commerce MOU Memorandum of Understanding DOE U.S. Department of Energy NARUC National Association of Regulatory Utility Commissioners DOJ U.S. Department of Justice NCCIC National Cybersecurity and ECPA Electronic Communications Privacy Act Communications Integration Center EPRI Electric Power Research Institute NCIRP National Cyber Incident Response Plan ESCC Electricity Sub-sector Coordination Council NCRAL National Cyber Risk Alert Level ES-C2M2 Electricity Sector Cybersecurity NEIL Nuclear Electric Insurance, Ltd. Capability Maturity Model NERC North American Electric ES-ISAC Electricity Sector Information Reliability Corporation Sharing and Analysis Center NIST National Institute of Standards FBI Federal Bureau of Investigation and Technology FEMA Federal Emergency Management Agency NRF National Response Framework 6 List of Acronyms NSF National Science Foundation SnoPUD Snohomish County Public Utility District PSC Public Safety Canada STIX Structured Threat Information Expression PUC Public Utility Commission TAXII Trusted Automated Exchange of Indicator Information RMP Risk Management Process TRIA Terrorism Risk Insurance Act SAFETY Support Anti-Terrorism by Fostering Effective Technologies UCG Unified Coordination Group SCADA Supervisory Control and Data Acquisition US-CERT U.S. Computer Emergency Readiness Team Energy & Infrastructure Program National Security Program Energy Project Homeland Security Project

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.