Trusted Cyber Security and Regulatory Compliance

for

Critical Infrastructure

 

Regulatory Information

Regulatory Information

EXCERPTS FROM CONGRESSIONAL RESEARCH SERVICE


             Government and Industry Cooperation on Grid Cybersecurity

Cooperation between the federal government and the electric power sector now extends beyond mandatory and enforceable industry standards for the bulk electric system. However, such cooperation has not always been typical. Companies apparently were not aware of other government efforts. Reports began to emerge in 2010 that the federal government has been developing the capability to detect cyber intrusions on private critical infrastructure company networks. The program dubbed Perfect Citizen reportedly was designed to detect cyber intrusions using sensors in computer networks that would be activated by “unusual activity.”74


While a number of voluntary structures now exist for information sharing and cybersecurity strategies, the degree of adoption by electric utilities and the overall effectiveness of these programs is unknown. The FY2016 budget proposes $14 billion in cybersecurity funding for “critical initiatives and research” across the federal government.75


Several of the key organizations and their missions with regard to electric power sector cybersecurity are profiled below.


Department of Energy

The Department of Energy (DOE) is home to a number of voluntary initiatives and programs for electric sector cybersecurity, with the Office of Electricity Delivery and Energy Reliability (OE) having the lead role. DOE considers the security and resilience of the electric sector to be paramount “ ... since it is arguably the most complex and critical infrastructure that other sectors depend upon to deliver essential services.”76 Several of these programs are described below.


National Electric Sector Cybersecurity Organization(NESCO)

In 2009, under the FY2010 Energy and Water Appropriations Act (P.L. 111-85), Congress directed DOE to form a national organization which would serve as the National Electric Sector Cybersecurity Organization resource.


The Secretary shall establish an independent national energy sector cyber security organization to institute research, development and deployment priorities, including policies and protocol to ensure the effective deployment of tested and validated technology and software controls to protect the bulk power electric grid and integration of smart grid technology to enhance the security of the electricity grid.77


DOE selected two organizations to form the National Electric Sector Cybersecurity Organization (NESCO): EnergySec and the Electric Power Research Institute (EPRI).78 EnergySec provides support for “information sharing, professional development and collaborative programs and projects that improve the cyber security posture of all participating organizations.” EPRI serves as the research and analysis resource for NESCO. NESCO’s mission is to improve the “cybersecurity posture of the electric sector by establishing a broad-based public-private partnership for collaboration and cooperation” by providing a forum for cybersecurity experts, developers, and systems users.79


Electricity Subsector Cybersecurity Capability Maturity Model

The Cybersecurity Capability Maturity Model (C2M2) was developed by DOE-OE, the Department of Homeland Security (DHS), and industry as a self-evaluation survey tool for any organization to address cybersecurity vulnerabilities. The C2M2 asks users to assess cybersecurity control implementation across 10 areas of cybersecurity “best practices” based on an evaluation of the maturity of a specific cybersecurity function.80 The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) goes one step further, specifically tailoring the core C2M2 survey for the electricity subsector with a “maturity model, an evaluation tool, and DOE facilitated self-evaluations.”81


Additionally, in 2006, DOE released a report titled Roadmap to Secure Control Systems in the Energy Sector. It outlined a strategic framework to be developed by industry, vendors, academia and government stakeholders to “design, install, operate, and maintain a resilient energy delivery system capable of surviving a cyber-incident while sustaining critical functions.” The plan called for a 10-year implementation timeline focusing on barriers and recommended strategies for achieving effective grid cybersecurity. A five-year update released in 2011 highlighted what had been achieved to date, discussing ongoing efforts with respect to short- to long-term goals.82



             Department of Homeland Security

DHS has a broad mission to make the United States safe and resilient against terrorism and other potential threats.83 The cyber and physical security of the grid are encompassed in this mission, and DHS has several initiatives in pursuit of these goals.


National Protection and Programs Directorate

The National Protection and Programs Directorate (NPPD) coordinates national efforts to protect critical infrastructure, working with partners “at all levels of government, and from the private and non-profit sectors” to share information to make critical infrastructure more secure. Under NPPD are several offices focused on cybersecurity, critical infrastructure protection, and resiliency:84


  • • The Office of Cyber and Infrastructure Analysis (OCIA) uses information received from public and private sources to conduct consequence modeling, simulation, and analysis to inform cyber and physical security risk management for U.S. critical infrastructure.
  • • The Office of Infrastructure Protection (IP) helps critical infrastructure owners and operators to understand and address risks to critical infrastructure. The office provides tools and training to critical infrastructure owners to help them manage risks to their assets, systems, and networks.
  • • The Office of Cybersecurity and Communications (CS&C) is responsible for enhancing the security, resilience, and reliability of the nation’s cyber and communications infrastructure. A major priority of the office is the reduction of cyber risks to federal and private Internet domains from terrorist attacks, natural disasters, or other emergencies. CS&C is also the home of the National Cybersecurity and Communications Integration Center (NCCIC).


NCCIC is focused on “cyber situational awareness, incident response, and management.”85 NCCIC acts as an information sharing forum for the public and private to improve understanding of cybersecurity and communications vulnerabilities and incidents, and mitigation and recovery from cyber events. NCCIC’s mission is to reduce the likelihood and severity of incidents that may “significantly compromise the security and resilience of the Nation’s critical information technology and communications networks.”86


The NCCIC works closely with those federal departments and agencies most responsible for securing the government’s cyber and communications systems, and actively engages with private sector companies and institutions, state, local, tribal, and territorial governments, and international counterparts. Each group of stakeholders represents a community of practice, working together to protect the portions of critical information technology that they own, operate, manage, or interact with.87


Two critical branches of NCCIC with functions important to electric grid cybersecurity are the United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).


  • US-CERT brings advanced network and digital media analysis expertise to bear on malicious activity targeting our nation’s networks. US-CERT develops timely and actionable information for distribution to federal departments and agencies, state and local governments, private sector organizations, and international partners. In addition, US-CERT operates the National Cybersecurity Protection System (NCPS), which provides intrusion detection and prevention capabilities to covered federal departments and agencies.88

  • US-CERT developed the Einstein 2 intrusion detection system used by the National Cybersecurity Protection System (NCPS).

  • NCPS intrusion detection capabilities alert DHS to the presence of malicious or potentially harmful computer network activity transiting to and from participating in federal executive branch civilian agencies’ information technology networks. This capability is deployed via EINSTEIN 2 and provides for improved detection and notification capabilities to provide near real time response to cyber threats.90

  • ICS-CERT reduces risk to the nation’s critical infrastructure by strengthening control systems security through public-private partnerships. ICS-CERT has four focus areas: situational awareness for Critical Infrastructure and Key Resources stakeholders; control systems incident response and technical analysis; control systems vulnerability coordination; and strengthening cybersecurity partnerships with government departments and agencies.89

  • ICS-CERT coordinates responses to control systems-related security incidents and facilitates information sharing91 among federal, state, and local agencies and organizations; the intelligence community; and private sector constituents, including vendors, owners and operators, and international and private sector CERTs. The focus on control systems cybersecurity provides a direct path for coordination of activities among all members of the critical infrastructure stakeholder community.


Science Technology Directorate

The Science and Technology Directorate (S&T) was created to provide science and technology in support of DHS’s mission. Since DHS assists in efforts for the security and resiliency of the grid, the Smart Grid with characteristics of self-healing from power disturbance events, and operating resiliently against physical and cyber threats is of particular interest.92


S&T also has a Cyber Security Division whose mission is to enhance the security and resilience of the nation’s critical information infrastructure and the Internet by93


  • 1. developing and delivering new technologies, tools and techniques to enable the United States to defend, mitigate and secure current and future systems, networks and infrastructure against cyberattacks;
  • 2. conducting and supporting technology transition; and
  • 3. leading and coordinating cybersecurity research and development for department customers, and with government agencies, the private sector and international partners.


Since recovery from cyberattacks is seen as a part of S&T’s resiliency focus, S&T is working on several electric power sector specific initiatives. These include the Resilient Electric Grid (an effort to “keep the lights on” in the event of a power outage by enabling distribution level power substations to share power with one another), and the Recovery Transformer (a program developing a prototype large power transformer to enable a quicker recovery [i.e., within days instead of months or years] from an event which might damage key transformers).94 S&T is currently managing an effort to assess the state of the Smart Grid concept, as well as specific technologies needed to achieve goals of ensuring Smart Grid security and resiliency.95


National Institute of Standards and Technology

The Energy Independence and Security Act of 2007 (EISA) (P.L. 110-140) defined attributes of a Smart Grid and plans for its development. EISA also gave the National Institute of Standards and Technology (NIST) the role of coordinating the development of a framework to enable the development of the Smart Grid in a safe and secure manner. Because cybersecurity threats were perceived as “diverse and evolving,” NIST advocated a defense-in-depth strategy with multiple levels of security and asserted no single security measure could counter all types of threats.96 The key to NIST’s suggested approach is the determination of risk (i.e., the potential for an unwanted outcome resulting from internal or external factors, as determined from the likelihood of occurrence and the associated consequences) as quantified by the threat (e.g., event, actor or action with potential to do harm), the vulnerability (e.g., weakness in the system), and the consequences (e.g., physical impacts) to the system.97


NIST published its Guidelines for Smart Grid Cybersecurity98 as a comprehensive, voluntary framework for organizations to use in developing effective cybersecurity strategies “tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities.”


According to NIST, deliberate attacks are not the only threat to Smart Grid cybersecurity.


Smart grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. The Smart Grid Interoperability Panel (SGIP) Cybersecurity Committee (SGCC) ... is moving forward in FY14 to address the critical cybersecurity needs in the areas of Advanced Metering Infrastructure security requirements, cloud computing, supply chain, and privacy recommendations related to emerging standards. This project will provide foundational cybersecurity guidance, cybersecurity reviews of standards and requirements, outreach, and foster collaborations in the cross-cutting issue of cybersecurity in the smart grid.99


NIST established the Smart Grid Interoperability guidelines with a primary goal of developing a cybersecurity risk management strategy to enable secure “interoperability”100 of technologies across different Smart Grid domains and components.


NIST was asked in 2013 by Presidential Executive Order No. 13636, “Improving Critical Infrastructure Cybersecurity,”101 to lead the development of a “Cybersecurity Framework” to reduce cyber risks.102 The framework was based on industry methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks, incorporating “voluntary consensus standards and industry best practices to the fullest extent possible.” The first version of the Framework was released on February 12, 2014.103 Sector- specific federal agencies (such as DOE) are to report annually to the President on the extent to which owners and operators of critical infrastructure at greatest risk are participating in the program.104


NIST also hosts the National Cybersecurity Center of Excellence, which is focused on getting better adoption of secure, commercially available cybersecurity technologies by both the public and private sectors.105


National American Electric Reliability Corporation (NERC)

NERC’s Critical Infrastructure Protection Committee (CIPC) is responsible for its physical security and cybersecurity initiatives. CIPC consists of both NERC-appointed regional representatives and technical subject matter experts, and serves as an expert advisory panel to the

NERC Board of Trustees. It has standing subcommittees in the areas of physical security and cybersecurity. The CIPC also oversees the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).106


Electricity Sector Information Sharing and Analysis Center (ES-ISAC)

ES-ISAC seeks to establish situational awareness, incident management, coordination and communication capabilities within the electricity sector through timely information sharing. The ES-ISAC works with DOE and the Electricity Sector Coordinating Council (ESCC) to share critical information with the electricity sector, enhancing its ability to “prepare for and respond to cyber and physical threats, vulnerabilities and incidents.”107

The Electricity Sector Information Sharing and Analysis Center ... which was established in 1998 under Presidential Decision Directive 63 (President Bill Clinton), called for the establishment of an ISAC for each of the eight infrastructure industries deemed critical to our national economy and public well-being.108


NERC members who are “registered entities”109 can report information regarding cyber incidents to ES-ISAC via a secure Internet exchange, and also receive information on threats.110


Electricity Sub-Sector Coordinating Council (ESCC)

The Electricity Sub-Sector Coordinating Council is the principal liaison between the federal government and the electric power sector. It represents the electricity sub-sector (as part of the Energy Critical Infrastructure sector)111 under DHS’s National Infrastructure Protection Plan (NIPP).112 The ESCC draws its membership from all segments of the electric utility industry, and is led by three chief executive officers—one each from the American Public Power Association, the Edison Electric Institute, and the National Rural Electric Cooperative Association.113 Among its activities, the ESCC coordinates industry and government efforts on grid security, guides infrastructure investments and R&D for critical infrastructure protection, seeks to improve threat information sharing and processes with public and private sector stakeholders, and coordinates cross sector activities with other critical infrastructure sectors. A Senior Executive Working


Group (SEWG) supports the mission and activities of the ESCC, creating ad hoc “sub teams” to address goals identified by utility and government executives.114


Edison Electric Institute

The Edison Electric Institute (EEI) as the trade association for investor-owned electric utilities has been involved with the formation of industry partnerships on cybersecurity issues with a number of federal agencies. Information sharing between public and private entities is an issue the industry considers critical in protecting the grid against cyber-threats.115 The industry is involved in several information sharing efforts including the ES-ISAC, ESSC, and NCCIC.






74 Siobhan Gorman, “U.S. Plans Cyber Shield for Utilities, Companies,” Wall Street Journal, July 8, 2010, http://www.wsj.com/articles/SB10001424052748704545004575352983850463108.


75 The budget proposes $149 million for current federal programs focused on improving the cybersecurity of private sector partners of government programs. It includes another $243 million to support research and development at civilian agencies for innovative cybersecurity technologies. See White House, “Middle Class Economics: Cybersecurity,” The President’s Budget FY2016 , 2015, https://www.whitehouse.gov/sites/default/files/omb/budget/ fy2016/assets/fact_sheets/cybersecurity.pdf


76 DOE, Office of Electricity Delivery and Energy Reliability, Cybersecurity, 2015, http://energy.gov/oe/services/cybersecurity


77 P.L. 111-85. See Title III, DOE Energy Programs.


78 See http://energy.gov/oe/services/cybersecurity/nesco


79 See http://www.energysec.org/services/advisory-services/


80 See http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program


81 See “Electricity Subsector Cybersecurity Capability Maturity Model Version 1.1” at http://energy.gov/sites/prod/ files/2014/02/f7/ES-C2M2-v1-1-Feb2014.pdf


82 The update discussed roadmaps for improving areas such as intrusion detection and development of metrics for measuring security improvements. See U.S. Department of Energy, Energy Sector Control Systems Working Group, Roadmap to Achieve Energy Delivery Systems Cybersecurity, September 2011, http://energy.gov/sites/prod/files/ Energy%20Delivery%20Systems%20Cybersecurity%20Roadmap_finalweb.pdf.


83 DHS was established by the Homeland Security Act of 2002 (P.L. 107-296)


84 DHS, “About the National Protection and Programs Directorate - Divisions,” http://www.dhs.gov/about-national- protection-and-programs-directorate.


85 DHS, “About the National Cybersecurity and Communications Integration Center,” November 4, 2014, http://www.dhs.gov/about-national-cybersecurity-communications-integration-center. (Hereinafter NCCIC). 86 Ibid.


87 Ibid.


88 See https://www.us-cert.gov/


89 See https://ics-cert.us-cert.gov/


90 See DHS, National Cybersecurity Protection System, Detection, April 2, 2014, http://www.dhs.gov/national- cybersecurity-protection-system-ncps.


91 See CRS Report R43941, Cybersecurity and Information Sharing: Legal Challenges and Solutions, by Andrew Nolan.


92 See http://www.dhs.gov/science-and-technology.


93 See http://www.dhs.gov/science-and-technology/cyber-security-division.


94 DHS considers the development and testing of the recovery transformer to be a success. See U.S. Congress, House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, The DHS and DOE National Labs: Finding Efficiencies and Optimizing Outputs in Homeland Security Research and Development, 112th Cong., 2nd sess., April 19, 2012, H. Hrg.112-84 (Washington: GPO, 2013), pp. 7-11. DOE is now looking at the need to develop a stockpile of transformers for use in an EMP event (See http://www.eenews.net/energywire/stories/1060014919).


95 See http://www.dhs.gov/science-and-technology/about-st.


96 National Institute of Standards and Technology, Smart Grid Interoperability Panel Cyber Security Working Group, Introduction to NISTIR 7628, Guidelines for Smart Grid Cyber Security, September 2010, http://csrc.nist.gov/ publications/nistir/ir7628/introduction-to-nistir-7628.pdf. (Hereinafter NISTIR).


97 NISTIR, p. 9.


98 NIST first published the report in 2010. The current version was released in September 2014 as NISTIR 7628 Revision 1. See http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf.


99 NIST, Cybersecurity for Smart Grid Systems, January 24, 2014, http://www.nist.gov/el/smartgrid/cybersg.cfm.


100 Interoperability can be defined as the capability of two or more networks, systems, devices, applications, or components to share and readily use information securely and effectively with little or no inconvenience to the user. GridWise Architecture Council, Interoperability Path Forward Whitepaper, November 30, 2005,http://www.gridwiseac.org/pdfs/interoperability_path_whitepaper_v1_0.pdf.


101 See http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure- cybersecurity.


102 CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress, by Eric A.Fischer et al.


103 NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.


104 See https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure- cybersecurity.


105 See http://nccoe.nist.gov/.


106 See http://www.nerc.com/comm/CIPC/Pages/default.aspx.


107 See NERC, ES-ISAC, 2013, http://www.nerc.com/pa/CI/ESISAC/Pages/default.aspx.


108 See https://www.esisac.com/SitePages/FAQ.aspx.


109 NERC members must apply to ES-ISAC to become registered entities. “The ES-ISAC is reviewing its policy regarding integrating potential external parties and their expertise and capabilities with the ES-ISAC.” See https://www.esisac.com/SitePages/FAQ.aspx.


110 “All registered entities in the North American electricity sector may be participants in the ES-ISAC. Although the ISAC framework is a U.S. government construct, the ES-ISAC extends across all of NERC’s territory, which includes both Canada and portions of Mexico.... Registered entities who are members of the ES-ISAC received private-level information on security threats, including alerts; remediation; various task forces; events calendars; and other security- specific resources.” See https://www.esisac.com/SitePages/FAQ.aspx.


111 The Energy Critical Infrastructure sector includes the electricity, petroleum, and natural gas subsectors. See http://www.dhs.gov/critical-infrastructure-sectors.


112 See http://www.dhs.gov/national-infrastructure-protection-plan.


113 Edison Electric Institute, Electric Subsector Coordinating Council, March 2015, http://www.eei.org/ issuesandpolicy/cybersecurity/Documents/ESCC%20Brochure.pdf


U.S. Congressional Research Service. Cybersecurity Issues for the Bulk Power System (RL30588; June 10, 2015), by Richard J. Campbell. Text in: LexisNexis® Congressional Research Digital Collection; Accessed: 1 May 2017.