210 likes | 377 Views
Cyber Security for PUC’s. Jeffrey R. Pillon Michigan Public Service Commission Mid-America Regulatory Conference June 17, 2009 Traverse City, Michigan . Cyber Security Threats are Increasing.
E N D
Cyber Security for PUC’s Jeffrey R. Pillon Michigan Public Service Commission Mid-America Regulatory Conference June 17, 2009 Traverse City, Michigan
Cyber Security Threats are Increasing The significant increase in new threats over the past year is indicative of the work of specialized malicious code authors and the existence of organizations that employ programmers dedicated to the production of these threats. 2
Cyber Security Threats • In 2001, hackers penetrated the California Independent System Operator which oversees most of the state's electricity transmission grid; attacks were routed through California, Oklahoma, and China. • Ohio Davis-Besse nuclear power plant safety monitoring system was offline for 5 hours due to Slammer worm in January 2003. • Aaron Caffrey, 19, brought down the Port of Houston in October, 2003. This is thought to be the first well-documented attack on critical U.S. infrastructure. • In March 2005, security consultants within the electric industry reported that hackers were targeting the U.S. electric power grid and had gained access to U.S. utilities electronic control systems. In a few cases, these intrusions had “caused an impact.” • In April 2009, the Wall Street Journal stated spies hacked into the U.S. electric grid and left behind computer programs that could allow them to disrupt service.
It’s not only hackers that you need to be concerned about. A tornado near a state data center Picture from a Security Camera Near Lansing , MI
Roles for Public Utility Commissions • Assuring that cyber security requirements that utilities are subject to are being met, and PUC oversight as appropriate exercised. • PUC Staff need to be up-to-date on cyber security requirements and potential threats. • Assuring that the PUC’s computer systems and operations are subject to on-going cyber security reviews and remediation, and that disaster recovery plans are in place and tested. • This also included cyber security awareness for agency employees. • Understand the National Strategy for Critical Infrastructure
1. Utility Oversight Cyber Security Requirements & Resources • The North American Electric Reliability Corporation -- Standards CIP-002 through CIP-009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection standards) • The National Institute of Standards and Technology (NIST) is developing set of smart grid interoperability standards and specifications for inclusion in the Smart Grid Interoperability Standards Framework, Release 1.0. • The Transportation Security Administration is partnering with Gas Technology Institute to develop training and presentation materials to illustrate existing SCADA vulnerabilities and consequently increase the cyber security awareness of pipeline companies. • The U. S. Computer Emergency Readiness Team (US-CERT) • Multi-State Information Sharing and Analysis Center (MS-ISAC) • FBI’s Infragard Program: http://www.infragard.net/
Benefits of the Smart Grid Source: “San Diego Smart Grid Study”, October 2006 Power outages cost between $80 billion and $150 billion every year.
Smart Grid Matching Grant Program Requires a description of how cyber security concerns will be addressed with respect to the use of best available equipment and the application of procedures and practices involving system design, testing, deployment, operations and decommissioning, including at a minimum: • A description of the cyber security risks at each stage of the system deployment lifecycle, • Cyber security criteria used for vendor and device selection, • Cyber security control strategies, • Descriptions of residual cyber security risks, • Relevant cyber security standards and best practices, and • Descriptions of how the project will support/adopt/implement emerging smart grid security standards. From: Notice of Intent to Issue a Funding Opportunity Announcement For the Smart Grid Investment Grant Program, April 16, 2009
Cost Recovery Investments in Smart Grid 50/50 Matching Grants • Are the costs prudent? • Will the resulting system be more secure and the power grid less vulnerable to outages and allow for faster recovery when outages occur? • To what degree have the cyber security requirements been met? • Are PUC’s staff knowledgeable about cyber security and know the questions that need to be asked?
2. PUC Internal Operations Security of PUC’s computer systems This may be the responsibility of another state agency or office, but the implication of a failure will impact the business operation of the Commission • Assuring that the computer systems that the PUC relies have on-going cyber security reviews and remediation of identified vulnerabilities. • Disaster recovery plans are in place and tested and Continuity of Operation Plans have been developed. • Cyber security awareness for agency employees including social engineering and insider threats.
Continuity of Operation Plans (COOP) • Internal contingency plans of government and business to assure the rapid resumption of essential functions as soon as possible if they are disrupted for any reason: e.g., fire, tornado, hurricanes, wildfires, earthquakes, terrorism, pandemics, etc. – Build Self-reliance and Resiliency • Helps assure that critical/essential functions can quickly resume operations • Addresses key or essential employees, required facilities, computer system records and back-up data systems, etc. • Minimize damage & losses • Management succession & emergency powers
On what cyber systems do you rely? • What IT systems support critical PUC functions? • What are the backed up systems? • What systems are needed to support restoration? • What systems are needed operationally? • In what sequence should systems be restored? • What are the telecommunication needs and requirements? Hourly Loss from Downtime in the Information Technology Sector $1.3 million/hr
Employee Education http://www.michigan.gov/cybersecurity
3. The National Strategy for Critical Infrastructure NIPP 2009 Update • Incorporates extensive State, local, and private sector input • Expands risk management framework: • Risk framework is based on threat, vulnerability, and consequences • Focuses on assets, systems, networks, and functions • Strengthens information sharing and protection to include the “information sharing life-cycle” • Represents an “All Hazards” approach • Establishes a “steady-state” of security across critical infrastructure/key resource (CI/KR) sectors www.dhs.gov/nipp
The NIPP and Sector-Specific Plans • Set Security Goals • Identify Assets, Systems, Networks, and Functions • Assess Risk (Consequences, Vulnerabilities, and Threats • Prioritize • Implement Protective Programs • Measure Effectiveness
Sector Specific Plan IT Sector Goals • Prevention and Protection Through Risk Management • Situational Awareness • Response, Recovery, and Reconstitution “Public and private sector security partners have an enduring interest in assuring the availability of the infrastructure and promoting its resilience.” http://www.dhs.gov/xlibrary/assets/nipp-ssp-information-tech.pdf
Defining Resilience The loss of resilience, R, can be measured as the expected loss in quality (probability of failure) over the time to recovery, t1 – t0. Thus, mathematically, R is defined as: Source: Multidisciplinary Center for Earthquake Engineering Research framework for defining resilience (Bruneau and Reinhorn, 2007; Bruneau et al., 2003)
Resilience has four factors • Robustness • The ability to operate or stay standing in the face of disaster • Resourcefulness • skillfully managing a disaster once it unfolds • Rapid Recovery • The capacity to get things back to normal as quickly as possible after a disaster • Learning lessons • Having the means to absorb the new lessons that can be drawn from a catastrophe Flynn, S. (2008) America the Resilient: Defying Terrorism and Mitigating Natural Disasters. Foreign Affairs, 87 (2), 2-8.
Intersecting Stakeholder Interest Federal Private Sector • Infrastructure Protection • Governance • Planning • Information Sharing • Technologies • Business Continuity & • Resilience • Innovation & Quality • Shareholder Value Resiliency State & Local In 2004 Osama bin Laden enunciated a policy of “bleeding America to the point of bankruptcy.” Source: Homeland Security Advisory Council, Critical Infrastructure Task Force Report, January 2006 • Government Continuity & • Resiliency • Safety, Protection & • Response Public/Private Sector Partnerships
Questions? Jeffrey R. Pillon, Manager Energy Data & Security Michigan Public Service Commission E-mail: pillonj@michigan.gov Phone (517) 241-6171