0% found this document useful (0 votes)

176 views225 pages

SEC18 Ebinder

The document announces a physical and cyber security conference on January 30-31, 2018 in Tempe, Arizona. The conference will address topics of concern for transmission asset owners, operators, and security managers. It will feature presentations from security specialists from the Department of Energy and electric industry organizations on subjects including the design basis threat, intrusion detection systems, and NERC compliance audits. A preliminary agenda outlines presentations on physical security risk assessment tools, the relationship between physical and cyber security, and lessons learned from cyber-attacks.

Uploaded by

최형식

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

176 views225 pages

SEC18 Ebinder

Uploaded by

최형식

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 225

Physical and Cyber Security

Conference

January 30-31, 2018

SRP’s Pera Club
Tempe, AZ

Instructed by:
Michael Sparks, Director, Office of Secuirty Assistance, U.S. Department of Energy
Mark Hojnacke, Physical Security Specialist, Office of Security Policy, U.S. Department of Energy
Carl Pocratsky, Engineer, Office of Security Assistance, U.S. Department of Energy
David Batz, Sr. Director, Cyber & Infrastructure Security, Edison Electric Institute
Sam Sharwarko, Physical Security Specialist, Western Area Power Administration
Laurie Williams, Sr. Manager, Operations & Planning Reliability Compliance, PNM Resources
Art Weise, Transmission & Distribution Manager, Nebraska Public Power District
Luke Wollin, Director, Transmission Design, Ameren
Chris Lyles, Asset Management Specialist, Western Area Power Administration
Ruben Robles, Manager, Critical Infrastructure Protection, SRP
Gilbert D. Flores, Emergency Management Specialist, Western Area Power Administration
Tiffani DeFore, Emergency Management Program Manager, Western Area Power Administration

RMEL ~ 6855 S. Havana, Ste 430 ~ Centennial, CO 80112 ~ (303) 865-5544 ~ FAX: (303) 865-5548 ~ www.RMEL.org
*Presentations are subject to change. Please visit
www.RMEL.org for the latest topic and speaker
information.

Preliminary CONFERENCE Agenda

Tuesday, address topics of concern
to transmission asset own-
Department of Energy
Physical Security
cyber security without physi-
cal security, however many
January 30, ers, operators and security Risk Assessment Tool newly developed physical
managers within the bulk for Power Marketing security solutions require
2018 electric system. Administration Electric effective cyber security to
Substations operate as desired. David
8:00 a.m. - 8:30 a.m. Department of Energy Carl Pocratsky, Engineer, Batz will discuss current
Welcome and Design Basis Threat Office of Security trends in cyber security
Introductions Mark Hojnacke, Physical Assistance, Department of including the recent attack
Security Specialist, Energy on the electric grid in the
8:30 a.m. - 9:30 a.m. Office of Security Policy, Department of Energy Ukraine and discuss lessons
Department of Energy Department of Energy (DOE) Power Marketing learned for electric utilities
Opening Presentation The U.S. Department of Administrations (PMAs) as well as physical security
Energy (DOE) has used are required to protect managers.
Security, Risk, and the concept of a design their facilities by NERC
Investment Decisions; A basis threat (DBT) for standards, and federal and 10:15 a.m. - 10:30 a.m.
DOE Office of Security more than 30 years. DOE policies. Accepted Networking Break
Approach For Securing The DBT in DOE serves methodologies for de-
Power Marketing a number of purposes. termining appropriate 10:30 a.m. - 11:15 a.m.
Administration It defines the types of security measures for Intrusion Detection
Transmission Assets assets within DOE requir- electric substations have Sam Sharwarko, Security
ing protection and bins not been readily avail-
Michael Sparks, Director, Specialist, WAPA
them in accordance with able to the PMAs. Typical
Office of Security This presentation will discuss
the consequences of protective measures and
Assistance, U.S. Department the nature of intrusions
their loss, it defines the security systems for office
of Energy and security breaches, the
protection strategy the buildings may be insuf-
The Department of En- systems used to monitor
physical protection system ficient or operationally
ergy’s Office of Security intrusions, and response
must achieve for each infeasible because substa-
Assistance (AU-52) man- and investigation. It will also
asset, it implements a risk tions are often located in
ages and integrates mul- address the theory on how
management framework, remote areas, are typi-
tiple programs to improve intrusion detections systems
and it defines the types cally unmanned, have high
the security posture of operate, their benefits, impli-
of threats the DOE is pro- value assets exposed, and
the Department of Energy cations on compliance, and
tecting assets against and have high electrical fields
and protect the Depart- various technologies.
the range of capabilities impacting sensor per-
ment’s assets, facilities
and events attributable to formance and the safety
and personnel including 11:15 a.m. - Noon
the threats. The DOE DBT of responders. Likewise,
nuclear weapons facilities, NERC Compliance Audits
is informed by National protective measures for
National Laboratories, the – WECC vs. TRE
level threat assessments sensitive high-security
Strategic Petroleum Re- Laurie Williams, Senior
conducted to determine government and industrial
serve, and the four Power Manager, Ops & Planning
potential threats to facilities are so robust and
Marketing Administrations Reliability Compliance, PNM
nuclear facilities, materi- onerous that they would
(PMA’s). Relying on Resources, Inc.
als and operations. The be completely unaf-
decades of experience in The ‘NERC Compliance
DBT implements graded fordable for widespread
Design Basis Threat policy Audits – WECC vs. TRE’
protection based on the application throughout
development, vulnerability presentation will outline the
consequences of loss of the electric transmission
analyses, risk assessments, major differences between
assets, including nuclear infrastructure.
performance testing, the audit approaches for
material, radiological
tactics development, and WECC and TRE especially
technology integration,
sources and hazardous 9:30 a.m. - 10:15 a.m.
chemicals with the po- with respect to the most
AU-52’s subject matter How the IoT (Internet of
tential for unacceptable recent 2017 audits for both
experts work with request- Things) Wants to Ruin
consequences from sabo- the Operations and Plan-
ing sites to ensure security Your Life and Disrupt
tage, hazardous biological ning and the CIP areas. The
systems meet departmen- Implementation of
materials, critical facilities, presentation will also briefly
tal and national require- New Physical Security
property, and personnel. cover the how TRE conduct-
ments commensurate with Solutions
ed ERCOT Operating Guides
the value of the assets David Batz, Senior Director, and Protocols Audit and
being protected. Cyber & Infrastructure Spot Checks in the WECC
This presentation will Security, Edison Electric Region. The presentation
cover AU-52’s recent Institute will provide specifics on dif-
assistance efforts, in part- In today’s world, it can be ferences in what is required
nership with the PMA’s, to argued that you can’t have to demonstrate compliance
Physical and Cyber SEcurity Conference
Proactive Security and Regulatory
Best Practices

with key standards as well as transformers, mobile spare 8:15 a.m. - 9:00 a.m. Part 3.2, and perform active
how each Region conducts transformers, and the Organizational vulnerability assessments
its audit processes including overall quantity of spare preparedness for an for high impact Bulk Electric
the data request processes, equipment required. active threat incident System Cyber Systems
and other aspects of what
Gilbert D. Flores, Emergency by July 2018. Mr. Robles
registered entities can ex- Western Area Power
Management Specialist, will discuss the guidance
pect as part of these audits. Administration.
Western Area Power and expectation given by
Transformer Risk
Administration NERC. He will also inform
Noon - 1:00 p.m. Strategy for High
Tiffani DeFore, Emergency the audience of the results
Networking Lunch Impact Low Frequency
Management Program of research he performed to
Events
Manager, Western Area Power understand how utilities are
1:00 p.m. - 2:30 p.m. Panelist #3: Chris Lyles, Administration performing these assess-
Roundtable Asset Management An active threat incident is ments to meet the objective
Specialist, Western Area a scary and terrible situation of CIP-010.
Power Administration
2:30 p.m. - 2:45 p.m. that hopefully no organiza-
WAPA’s proposed spare
Networking Break
transformer strategy to
tion will have to experience. 9:45 a.m. - 10:00 a.m.
However, preparing your or- Networking Break
mitigate high impact, low ganization with training and
2:45 p.m. - 3:45 p.m. frequency events. This exercises can lessen or even
Panel: Sparing Strategies presentation has been 10:00 a.m. - 10:15 a.m.
prevent this type of violence
for Transformers delivered to WAPA’s Attendee Announcements
in the workplace.
transmission customers Any registered attendee
Sparing Strategy at to solicit feedback on a is invited to make a short
NPPD
9:00 a.m. - 9:45 a.m.
proposed strategy. announcement on their com-
Active Vulnerability pany, new products, tech-
Panelist #1: Art Wiese,
Assessments for High
Transmission & Distribution 3:45 p.m. - 4:30 p.m. Impact BES Cyber
nologies or informational
Manager, Nebraska Public Critical Infrastructure updates. Announcements
Systems may include showing a
Power District Protection Through
Ruben Robles, Manager, product sample but not vid-
This presentation will de- Defense-in-Depth
Critical Infrastructure eos and power point slides.
scribe the process NPPD Ruben Robles, Manager, Protection, SRP Please limit announcement
went through to determine Critical Infrastructure NERC Registered Entities to 5 minutes.
what spares we believe Protection, SRP are expected to comply with
we would need as a result Defense-in-depth focuses CIP-010 Requirement R3,
of a High Impact Low on layering controls in order 10:15 a.m. - 11:30 a.m.
Frequency (HILF) event. to increase the security of Roundtable
It will also cover NPPD’s a system. This presentation
philosophy for stocking or will detail the concept of
otherwise acquiring spares defense-in-depth and how Thank You RMEL Transmission
for a HILF event. the Critical Infrastructure
Protection Standards apply
Committee
Ameren Transmission defense-in-depth to protect
Sparing and Resiliency CHAIR Chris Koch
the Bulk Electric System.
Strategy Angela Piner Manager, Substation
Panelist #2: Luke Wollin, VP Engineering
Director, Transmission Wednesday, HDR, Inc. Kansas City Power & Light
Design, Ameren
The presentation will focus January 31, VICE CHAIR Keith Nix
on assessing the physical
threats and other potential
2018 Ana Bustamante
Director, T&D Engineering
VP, Technical Services and
System Reliability
risks to the transmission UNS Energy Corporation Texas New Mexico Power
system. We will discuss 8:00 a.m. - 8:15 a.m.
the security measures and Welcome Back and Scott Bayer Mike Pfeister
spare equipment neces- Opening Remarks Director, Transmission & Manager of Scheduling &
sary to provide resiliency Substation Engineering and Reliability Services
and properly mitigate Construction SRP
these risks. The discussion Austin Energy
will primarily concentrate John Quintana
on physical security at Jedd Fischer Transmission Asset
the substation and criti- Senior Project Manager Maintenance Manager
cal structures, hardened Nebraska Public Power Western Area Power
District Administration

Randy Harlas
Manager, Substation & Relay
El Paso Electric Company
Opening Presentation

Michael Sparks
Director, Office of Security Assistance
U.S. Department of Energy

Mark Hojnacke
Physical Security Specialist
Office of Security Policy
U.S. Department of Energy

Carl Pocratsky
Engineer, Office of Security Assistance
U.S. Department of Energy
SECURITY,
RISK,
AND
INVESTMENT DECISIONS
A DOE Office of Security Approach
For
Securing Power Marketing Administration Transmission Assets
Michael H. Sparks
Director, Office of Security Assistance
U.S. Department of Energy
January 30, 2018
The Office of Security Assistance
The Office of Security Assistance manages and integrates multiple programs to improve the
security posture of the Department of Energy and protect the Department’s assets, facilities and
personnel.
• The Department’s lead for the identification, evaluation, and modification of the
Departmental security risk management policies; the modification and deployment of
vulnerability assessment tools and processes needed to meet site security mission
requirements.
• The Department’s primary resource for developing security performance data for the
analysis and assessment of protection systems, weapons and equipment.
• The Department’s corporate resource for the assessment and integration of safeguards and
security technologies necessary for countering current and emerging threats while
systematically reducing operating costs, enhancing protective force safety and survivability,
and improving overall security effectiveness.
AU‐52 Physical Security Emphasis
Field Assistance... To Protect... Against... To Prevent…

White House Goes Dark

Substation Downstream
Theft Impacts
Functionality
Support Risk Assessments

Unique and Financial Loss

Costly
Equipment

Test Security Equipment Control

Centers

Loss of Grid
Physical Damage Resilience
Copper

Design Criteria and Tools

9/29/2014 Transmission Lines Sophisticated Attacks 3
Sustained Regional Blackouts
The PMA Challenge:

 What do I need to protect?

 Who and what am I

protecting against?

 What security enhancements

will be effective in my
environment?

 How much should I spend?

Risk Based Focus
(Two Strikes and You’re Out…)

Copper
Threats Theft
Cyber Attacks
Vulnerabilities
Sustained
Weather Events Catastrophic
Outage
Military
Non-Violent
Assault
Protests

Consequences

Physical Attacks
(…Of Danger or Money) Geomagnetic Storm
Why Physical?
Quadrennial Energy Review Published April 2015

Figure 2‐3. Left figure: Electric Disturbance
Events, January 2011 – August 2014
6
Pay Attention to the Bottom Line
First known hacker-caused power outage signals troubling escalation
- Highly destructive malware creates "destructive events" at 3
Ukrainian substations.
by Dan Goodin - Jan 4, 2016 3:36pm EST
Ars Technica UK
SANS NewsBites Vol. 18 Num. 001 : Cyber Attack Takes Out Power in Ukraine;
The ICS Team at SANS has been researching this
one since Dec 24th (an unplanned Holiday challenge and it was not Ed
Skoudis - this we know). A big unknown remains: how the electric
service was actually disrupted? A file wiper function can certainly
disrupt the SCADA system, but that alone does not account for the
outage. The SSH capability is probably a "tell" here as we suspect an
attacker manually interacted with an infected machine, like an HMI
(human machine interface), to command breakers to open (just a theory
at this point). The wiper function could then have been used to extend
the outage by denying the SCADA system, but the impacted Ukrainian
utility was still capable of resorting to manual operations to (re-close
7
breakers) and energize their system.
Next:

• The 2016 DOE Design Basis Threat

(M. Hojnacke, AU-51)

• Physical Security Risk Assessment Tool for Power

Marketing Administrations
(C. Pocratsky AU-52)
How the IoT (Internet of Things)
Wants to Ruin Your Life and
Disrupt Implementation of New
Physical Security Solutions

David Batz
Sr. Director, Cyber & Infrastructure Security
Edison Electric Institute
How the IoT (Internet of Things)
Wants to Ruin Your Life and
Disrupt Implementation of New
Physical Security Solutions”
David Batz
Senior Director, Cyber & Infrastructure Security
Edison Electric Institute
[email protected]

RMEL - January 30, 2018

Our Discussion Today

 Historical background – Cyber

Security, Critical Infrastructure
 Physical Security Issues
 Emerging trends: Geo-Political
Cyber/Physical Events
 Electric Utility Owner/Operator
Response
2
Many Voices

3
(Potential) Adversaries

 Script Kiddies
 _ Business Network
 Hacktivists
 Irregular Actors
 Disgruntled Insider
 Nation State/State Sponsored

4
Why

5
Distributed Denial of Service
Attacks

6
July 2010 Stuxnet
“Isolated Network”

7
The Internet Arms Bazaar

8
Threats

9
Not Just Cyber

Assault on California Power Station Concern Over Power Grid Security

Raises Alarm on Potential for Mounts in Congress
Terrorism

Sniper Attack On Calif. Power Station High-Powered Attack On PG&E

Raises Terrorism Fears Substation Raises Concerns About
Combined Threats to Grid

Electric-Grid Attack Fuels Sniper- U.S. Risks National Blackout from

Versus-Hacker Debate Small-Scale Attack

Power Grid Preparedness Falls Short, How Safe and Reliable is America’s
Report Says Electric Grid?
10
Components of Interest

11
Externalities – The Insider Threat

12
Cryptowall / Ransomware

13
Not Just Individuals

14
Externalities

 OPM Breach

21.5

1.1

15
Ukraine December 2015
December 2016

 What Happened
 How did it happen
 Could it happen again? Could it happen here?

16
Ukraine December 2016

 Transmission Substation
 A message?

HOW AN ENTIRE NATION BECAME

RUSSIA'S TEST LAB FOR CYBERWAR

17
CRASHOVERRIDE

 Disclosed June - 2017

18
Externalities

19
Major Cyber Events Ramping Up

 Wanna Cry
- Shadow Brokers
- Eternal Blue

 NotPetya
- Supply Chain
attack
Ransomware
-or- Wiper

20
Recent Events

21
Internet of Things (IoT)

1/1/2018
6.4B
5.5 M/day
2020
20.8B

22
Or Faster

23
IoT Devices

24
Architectural Failures

 Meltdown
 Spectre

25
Industry Leadership on Physical
Security

 Electricity Subsector Coordinating Council

 New Cyber Mutual Assistance program
development
 STEP/ SpareConnect
 EEI’s National Response Event (NRE)
Framework
 NERC’s Grid Ex Exercises
 FERC Order on Physical Security Standards

26
Cyber Mutual Assistance
is a program sponsored by the ESCC.
ESCC Purpose & Scope
Purpose: The ESCC is the principal liaison between
the electric sector and the federal
government for coordinating efforts to
prepare for, and respond to, national-level
disasters or threats to critical infrastructure.
Scope: The ESCC facilitates and supports policy and
public affairs-related activities and
initiatives designed to enhance the reliability
and resilience of the electric grid. The ESCC
is not operational.
Photo by Karla Marshall

Photo by Karla Marshall

32
33
Spare Transformer Equipment Program - 2006
SpareConnect – 2014
Transformer Transportation

SpareConnect offers an
online tool to communicate a
utility’s bulk power system
equipment needs and
provides point of contact
information for people and
equipment across the North
American electric utility
industry for specific equipment
categories and classes.
39
Utility, Asset Owner Response

 Recognition of New Reality

 Different Threat Actors
 Marathon
 Corporate Culture Change

40
DOE/DHS Electricity Subsector
Cybersecurity Capability Maturity Model
Approximately 20 companies (Investor Owned
Utilities, Coops and Munis) participated in the
pilot.
Domains in maturity model in which companies
are evaluated:
1. Asset, Change, and Configuration Management
2. Workforce Management
3. Identity and Access Management
4. Risk Management
5. Supply Chain and External Dependencies
Management
6. Threat and Vulnerability Management
7. Event and Incident Response, Continuity of
Operations
8. Situational Awareness
9. Information Sharing and Communications
10. Cybersecurity Program Management

41
NIST Cyber Security Framework
Core Functions
• Identify- Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities

• Protect- Develop and implement the appropriate safeguards to ensure

delivery of critical infrastructure services

• Detect- Develop and implement the appropriate activities to identify the

occurrence of a cybersecurity event

• Respond- Develop and implement the appropriate activities to take action

regarding a detect cybersecurity event

• Recover- Develop and implement the appropriate activities to maintain

plans for resilience and to restore any capabilities or services that were
impaired due to a cybersecurity event
42
CIS Top 20 Controls
1. Inventory of Authorized 10.Data Recovery Capability
and Unauthorized Devices 11.Secure Configurations for
2. Inventory of Authorized and Network Devices
Unauthorized Software 12.Boundary Defense
3. Secure Configurations for 13.Data Protection
Hardware and Software 14.Controlled Access Based on the
4. Continuous Vulnerability Need to Know
Assessment and Remediation 15.Wireless Access Control
5. Controlled Use of 16.Account Monitoring and Control
Administrative Privileges 17.Security Skills Assessment and
6. Maintenance, Monitoring, and Appropriate Training to Fill Gaps
Analysis of Audit Logs 18.Application Software Security
7. Email and Web Browser 19.Incident Response and
Protections Management
8. Malware defenses 20.Penetration Tests and Red Team
9. Limitation and control of Exercises
43
network ports
Responding

 Engagement between operations and

Physical / IT / Security organizations
 New engagement with Local/Federal law
enforcement
 Cyber Mutual Assistance

44
Responding

 Protection of Control / EMS / SCADA

networks
 Sustainable, repeatable processes
required
 Commitment to Protection

45
Guiding Principle

 If you know the enemy and know yourself, you need

not fear the result of a hundred battles.

If you know yourself but not the enemy, for every

victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will

succumb in every battle.

-Sun Tzu The Art of War 600 BC

46
Takeaways

 Tools and automation added to physical security programs bring

new functionality and risks,
 Do you know the people within your organization who are
responsible for SCADA security, Cyber Security, Data
Networking and Business Continuity?
 Effective Physical Security relies on good Cyber Security...
Effective Cyber Security relies on good Physical Security,
including substations and control houses.
 Do your projects include a cyber security review?
- Contractual language
- Vulnerability assessments/ Pen Testing
- 3rd party risk assessment
47
To Join or for More information
Cyber Mutual Assistance:
http://www.electricitysubsector.org/CMA
[email protected]
Intrusion Detection

Sam Sharwarko
Security Specialist
Western Area Power Administration
Physical Intrusion Detection
Sam Sharwarko, CPP, PSP
January 30, 2018
RMEL Physical & Cyber Security Conference
Tempe, AZ

1
Western Area Power Administration
• 1 of 4 PMAs in the DOE
• Transmit and market wholesale power throughout
15 states in Western U.S.
• HQ in Denver; 5 Regions
• Sam Sharwarko, CPP, PSP
• Office of Security & EM
• Physical Security countermeasures
• Security integration and coordination
• BPA with Williams Electric Co.

Intrusion Detection – RMEL Physical & Cyber Security Conference 2

Transition Areas
Detect, Assess, Respond

Delay

Deter

Property Line

Intrusion Detection – RMEL Physical & Cyber Security Conference 3

Transition Areas

Delay, Detect, Assess, Communicate, Respond

Adversary Task Time

Semi-Public Semi-Private

Public Private

Intrusion Detection – RMEL Physical & Cyber Security Conference 4

Intrusion Detection
• Early & accurate intrusion detection increases the time
available for assessment & response
What is it?
Is it a threat? Dispatch Access
What type of Deploy Investigate
response is Travel Intercept
needed?

Detect Assess Respond

Communicate

• Intrusion detection systems (IDS) sense and report potential

unauthorized entry into a controlled area.
• Some systems can classify, but a human is needed to assess.
Intrusion Detection – RMEL Physical & Cyber Security Conference 5
Types of Physical Intrusion
• Stealth
• Fraudulent credentials
• Drone
• Bridging
• Force
• Cutting
• Climbing
• Ramming
• Accidental
• Vehicle loses control
Intrusion Detection – RMEL Physical & Cyber Security Conference 6
Intrusions

Intrusion Detection – RMEL Physical & Cyber Security Conference 7

Intrusions

Intrusion Detection – RMEL Physical & Cyber Security Conference 8

Behavior Patterns
Probability

Intruder Authorized
Behaviors User
Behaviors

Behavior Parameter

9
Behavior Patterns
Probability

2 1

Intruder Authorized
Behaviors User
Behaviors

3
4
Behavior Parameter

10
Behavior Patterns
Intrusion
Detection
Probability

Strategy

Intruder Authorized
Behaviors User
Behaviors

Behavior Parameter

11
Detection Zones

12
Detection Technology
• Perimeter Disturbance
• Fence line
• Buried cable
• Visual
• Cameras
• People
• Volumetric
• RADAR
• MW
• IR
Intrusion Detection – RMEL Physical & Cyber Security Conference 13
Detection Zones

14
RADAR

Intrusion Detection – RMEL Physical & Cyber Security Conference 15

Buried Sensors
• Coax (magnetic)
• Fiber
• Seismic (geophone)

Intrusion Detection – RMEL Physical & Cyber Security Conference 16

Video Detection

Intrusion Detection – RMEL Physical & Cyber Security Conference 17

Detection Zones

18
Microwave & IR Beam

Intrusion Detection – RMEL Physical & Cyber Security Conference 19

Fence Disturbance
• Acoustic signal processing
• Taut wire

Intrusion Detection – RMEL Physical & Cyber Security Conference 20

Detection Zones

21
Interior Technologies
• Passive Motion Detection
• Detect energy
• PIR

Intrusion Detection – RMEL Physical & Cyber Security Conference 22

Interior Technologies
• Active Sensors
• Emit energy
• Detect reflected wave

• Dual Technology Sensors

Intrusion Detection – RMEL Physical & Cyber Security Conference 23

Interior Technologies
• PIRs detect differences in thermal signature and
movement across coverage sectors.

Intrusion Detection – RMEL Physical & Cyber Security Conference 24

PIR Coverage

Intrusion Detection – RMEL Physical & Cyber Security Conference 25

PIR Coverage

Intrusion Detection – RMEL Physical & Cyber Security Conference 26

PIR Coverage

Intrusion Detection – RMEL Physical & Cyber Security Conference 27

Interior Technologies
• Door Contact
• Balanced Magnetic Switch (n.o.)
• Reed Switch

Intrusion Detection – RMEL Physical & Cyber Security Conference 28

Interior Technologies
• Other technologies may include:
• Pressure mats
• Sonic
• Ultrasonic
• Photoelectric beams
• Microwave
• Capacitance
• Vibration
• PIR has retired most of these technologies

Intrusion Detection – RMEL Physical & Cyber Security Conference 29

Nuisance and False Alarms
• Best systems have high PD, but low NAR & FAR
• Nuisance alarms
• System performed correctly as configured, but the
detection did not warrant notification or response
• Alarms x Time = NAR
• False alarms
• System did not perform correctly and generated a
notification
• False Alarms x Time = FAR

Intrusion Detection – RMEL Physical & Cyber Security Conference 30

Benefits & Limitations
• IDS can:
• Notify us that “something has happened”
• Communicate instantly
• Be cost-effective
• Provide accountability (incl. compliance) and
documentation
• IDS does not:
• Delay or stop an intruder
• Provide significant deterrence
• Assess an event

Intrusion Detection – RMEL Physical & Cyber Security Conference 31

Questions

Intrusion Detection – RMEL Physical & Cyber Security Conference 32

NERC Compliance Audits –
WECC vs TRE

Laurie Williams
Sr. Manager, Ops & Planning Reliability
Compliance
PNM Resources, Inc.
January
2018

NERC Compliance Audits – WECC vs. TRE

RMEL 1
PNM Resources, Inc. Overview

• Investor-owned energy holding

company based
– Headquartered in
Albuquerque, New Mexico
• Utility subsidiaries:
– Public Service Company of
New Mexico (PNM)
– Texas-New Mexico Power
Company (TNMP)
• Trades on the NYSE under the
ticker ‘PNM’

2
PNM Resources Snapshot
New Mexico and Texas Service Territories

 Vertically integrated, full-  Transmission and Distribution

service utility for more than provider delivering electricity to
520,449 NM residential and approximately 246,620 accounts
business customers throughout Texas

Registered Functions

Transmission

Transmission
Distribution

Generator

Generator
Balancing
Authority

Authority

Resource
Operator

Operator
Planning
Provider

Provider
Planner

Planner

Service
Owner

Owner
Entity
Name Region BA DP GO GOP PA RP TO TOP TP TSP
PNM WECC X X X X X X X X X X
TNMP TRE X X X X
3
Background on PNM

 Vertically integrated utility

 2364 MW* Generation Resources
 PNM’s retail energy mix: 11.1%
Gas, 50.6% Coal, 8.8%
Renewables, and 29.5% Nuclear
 Retired 2 coal units
 3,189 miles of transmission,
11,149 miles of distribution
 2017 Peak Load of 1,843 MW
 Approximately 1,400 employees
around the state
 3 BA/TOP Control Centers, CIP
Medium and Low Substations
 CIP v3 applicable prior to v5
*Prior to coal retirements December 2017
** Based on calendar year 2016
4
Background on TNMP

 Regulated Transmission & Distribution

Provider (no generation)
 TNMP owns 978 circuit miles of
transmission; 7,111 miles
distribution; 1,209 circuit miles of
underground distribution lines
 2017 Peak load of 1,701 MW
Approximately 360 employees
 3 TOP Control Centers, 2 Data Centers
 CIP Medium and Low Substations
 CIP v3 not applicable before v5
*As of December 31, 2016,

5
Audit Schedules
WECC TRE
• Notice of Audit Dates email: 5/6/16 • Notice of Audit Dates email: formal
• IRA Request: 5/6/16 Due: 8/20/16 4/27/17 (informal email 4/13/17 &
• Draft IRA Report: 11/28/16 via phone 4/12/17)
• Final IRA: 12/22/16* • Draft IRA Report: 3/17 and 4/16
• Notice of Compliance Audit: 2/7/17 • Final IRA : 4/11/17
• Pre-Audit Conference Call: 3/29/17 • Notice of Compliance Audit: 5/2/17
• Pre‐Audit Survey: 3/9/17 • Pre-Audit Conference Call: 4/12/17
• Audit Package: 4/7/17 • Pre‐Audit Survey/TOP Information
Request: 5/26/17
• First DR: 4/10/17
• Audit Package: 6/1/17
• Audit Dates: 5/8/17 – 5/19/17
• First DR: 6/26/17
• CIP and O&P Audit period: 2/19/14
– 2/7/17 • Audit Dates: 7/31/17-8/11/17
• Final Audit Report: 7/18/17 • CIP Audit Period: 2/26/14-10/11/17
• O&P Audit Period: 8/28/14-10/11/17
WECC formally publishes audit schedule w/ • Closing Meeting: 10/11/17
dates in late summer for full year following 6
PNM Audit Team
CIP AUDIT TEAM (11 total) OPS AND PLANNING AUDIT TEAM (7 total)
• John Graminski, Senior Auditor, Audit Team • Mike Wells, Senior Auditor, Audit Team Lead
Lead • Roger Cummins, Senior Auditor
• Morgan King, Senior Auditor • Jay Loock, Senior Auditor
• Gary King, Senior Auditor • Mark Christensen, Auditor
• Zach Trublood, Senior Auditor • Patrick Van Guilder, Senior Risk Engineer
• Lisa Wood, Auditor • Jim Terpening, WECC Consultant
• Eric Weston, Auditor • Mike Brock, WECC Consultant
• Carl Bench, Auditor
• Mark Lemery, Auditor FERC Observers
• Holly Eddy, Auditor • Bayard Koch, Electrical Engineer (did not
• Jennifer Salisbury, Associate Auditor attend)
• Stacia Carron, Associate Auditor • Robert Clark, Electrical Engineer
WECC Observers
• Darren Nielsen, Manager, CIP Audits NERC Observers
• Katie Iversen, Associate Engineer • Ryan Mauldin, Compliance Assurance Advisor

7
TNMP Audit Team
O&P (3 total)
• Frank Vick, Sr Compliance Analyst, Audit Team Leader-O&P Auditor since Jun 2005
– CenterPoint Senior Electrical Engineering Specialist in the Substation Engineering Division,
also relaying and planning experience
• Jens Steinborn, Compliance Engr III- O&P Auditor since Aug 2010
– Semi-conductor product development, certified System Operator in ERCOT,
• Michael Dillard, Compliance Analyst II- O&P Auditor since Feb 2015
– Navy nuclear plant operator, QA inspector, Operator Southern Company, C.o. Tallahassee,
NERC Certified RC
CIP (3 total)
• Kenath Carver, Compliance Team Lead- CIP Auditor since Feb 2012
– IT Business Solutions Analyst and Sr IT Security Administrator
• Benjamin Gregson, CIP Security Analyst I - CIP Auditor since Sept 2016
– System Admin Texas A&M System Turbomachinery Laboratory (5 yrs) &IT banking
environment
• Paul Hopson, CIP Security Analyst III - CIP Auditor since Aug 2016
– Information Security Officer and Senior Network Systems Engineer for the PUCT and TX AG
Office and the Texas Rehabilitation Commission as a LAN/WAN Network Manager
8
Audit Scope
PNM TNMP

2014

2014
• 32 O&P requirements • 19 O&P requirements
• 29 CIP requirements • 15 CIP requirements
• No findings by WECC beyond • No findings by TRE beyond
those self-reported by PNM those self-reported by TNMP
• Audit package -> • Audit package ->
– 564 O&P and 316 CIP – 167 O&P and 286 CIP
documents (955 MB) documents (335 MB)
• 59 Data Requests or “DRs” • 93 Data Requests
• 13 interviews • 12 interviews
• 5 Facility tours • 4 Facility tours
• 14 Technical Feasibility • No TFE reviews
Exception (TFE) Reviews • 4 CIP “live” demonstrations
– ~1.5 days
9
CIP Audit Scope
PNM TNMP
1. CIP-002-5.1 R1 16. CIP-007-6 R3 1. CIP-002-5.1a R1.
2. CIP-002-5.1 R2 17. CIP-007-6 R4 2. CIP-002-5.1a R2.
3. CIP-003-6 R1 18. CIP-007-6 R5 3. CIP-005-5 R1.
4. CIP-003-6 R3 19. CIP-008-5 R1 4. CIP-005-5 R2.
5. CIP-004-6 R1 20. CIP-009-6 R1 5. CIP-006-6 R1.
6. CIP-004-6 R2 21. CIP-010-2 R1 6. CIP-006-6 R2.
7. CIP-004-6 R3 22. CIP-010-2 R2 7. CIP-007-6 R1.
8. CIP-004-6 R4 23. CIP-010-2 R3 8. CIP-007-6 R2.
9. CIP-004-6 R5 24. CIP-011-2 R1 9. CIP-007-6 R3.
10. CIP-005-5 R1 25. CIP-011-2 R2 10. CIP-008-5 R1.
11. CIP-005-5 R2 26. CIP-014-2 R1 11. CIP-009-6 R1.
12. CIP-006-6 R1 27. CIP-014-2 R2 12. CIP-010-2 R1.
13. CIP-006-6 R2 28. CIP-014-2 R3 13. CIP-010-2 R2.
14. CIP-007-6 R1 29. CIP-006-6 R3 14. CIP-014-2 R1.
15. CIP-007-6 R2 15. CIP-014-2 R2.
10
O&P Audit Scope
PNM TNMP
1. COM-002-4 R1 17. PER-005-2 R5 1. COM-002-4 R1. 17. PRC-005-6 R3.
2. COM-002-4 R2 18. PER-005-2 R6 2. COM-002-4 R2. 18. PRC-023-4 R1.
3. COM-002-4 R3 19. PRC-001-1.1(ii) R3 3. COM-002-4 R4. 19. TOP-001-3 R9.
4. EOP-001-2.1b R3 20. PRC-001-1.1(ii) R5 4. EOP-004-3 R3.
5. EOP-005-2 R10 21. PRC-004-4(i) R1 5. EOP-008-1 R5.
6. EOP-005-2 R11 22. PRC-004-4(i) R2 6. EOP-008-1 R7.
7. EOP-008-1 R6 23. PRC-004-WECC-1 R1 7. FAC-008-3 R3.
8. FAC-003-4 R1 24. PRC-005-6 R1 8. FAC-008-3 R6.
9. FAC-003-4 R2 25. PRC-005-6 R3 9. FAC-008-3 R8.
10. FAC-003-4 R6 26. PRC-006-2 R9 10. IRO-017-1 R2.
11. FAC-003-4 R7 27. TOP-002-2.1b R4 11. PER-005-2 R3.
12. FAC-008-3 R6 28. TOP-002-2.1b R6 12. PRC-001-1.1(ii) R3.
13. FAC-014-2 R5 29. TOP-002-2.1b R11 13. PRC-004-5(i) R1.
14. FAC-014-2 R6 30. TOP-006-2 R2 14. PRC-004-5(i) R2.
15. FAC-501-WECC-1 R3 31. TOP-007-0 R1 15. PRC-004-5(i) R3.
16. PER-005-2 R3 32. VAR-002-4 R1 16. PRC-005-6 R1.
11
PNM Site Visits and Interviews
• Interviews
– CIP-002 R1 (1st DR), -004, -005, -006 R1, -007, -010
– FAC-003 and -008
– PER-002-5
– PRC-005 and FAC-501-WECC
• Site Visits
– Primary, Backup and Generation Dispatch Control Centers (CIP and
O&P)
– 2 ‘Medium’ Stations
• CIP-014 In-person “hand-off” – via hard copy
• TPL-001-4 informal Q&A session with SME
12
TNMP Site Visits and Interviews
• CIP “Live” Demonstrations • Interviews
– CIP-014-2 R1, R2
– CIP-005-5 R1 (Part 1.5), R2
– COM-002-4 R1, R2, R4
– CIP-007-6 R1, R2, R3, R4* – EOP-004-3 R3
– CIP-009-6 R1 (Parts 1.3 and 1.4) – EOP-008-1 R5, R7
– CIP-010-2 R1, R2 – FAC-008-3 R3, R6, R8
– IRO-017-1 R2
• Site Visits – PER-005-2 R3
– Primary and Backup Control – PRC-001-1.1 (ii) R3
Centers for CIP and O&P – PRC-004-5(i) R1, R2, R3
• CIP-014 In-person “hand-off” – PRC-005-6 R1, R3
– PRC-023-4 R1
via encrypted drive – TOP-001-3 R9

13
General Observations
WECC TRE
• O&P Audit team more • CIP Audit team more CIP
utility experience (due to technical background
large team size) • No final Audit report to
• Many newer CIP Auditors date
• More extensive IRA • >Administrative effort –
evaluation evidence inventory/
certifications
Often differing Audit Approaches
But teams reached same conclusions and were open
to discussion/explanation
14
General Observations Con’t.

• Overall – audited fewer standards but more

in-depth
• WECC approach more standardized for both
CIP and O&P sides
• Teams were both looking for compliance
• No ICE requested or offered for either
engagement
• Embedded Internal Controls into RSAWs and
both Regions liked that approach
15
Both Regions
• CIP Security Mgmt Software demonstrations
– Baseline configurations, ports and services, changes,
user activity, firmware/Operating Systems,
applications, patching , anti-virus and anti-malware
protections for -005 and -007
• Validation of self-report scopes and
remediation/mitigation
• Validation of audit evidence against other data sources
(O&P)
• FAC-008, FAC-501, PER-005 and PRC-005 sampling
16
Both Regions, con’t.
• CIP-002, -005, -006, -007: Walk-throughs - used CIP-
005 network diagrams and CIP-006 PSP diagrams for
validation throughout – ESPs and PSPs
• CIP-006: Verified physical security at Control Centers
with doors held open – observed alarms and response
• CIP-010: SMEs walk through baselining and Change
Management processes
• CIP-014: No DRs and Audit team did not take materials
off-site during audit

17
CIP - TRE
• TRE - extensive “live” demonstrations
– Validated EAP firewall rules, Anti-virus configurations, Intrusion detection,
Remote access (no IRA), etc.

• TRE CIP v5 Evidence Request – posted on

TexasRE.org
• Social engineering during CC Tours such as Wi-Fi
checks, keys left in server rack, desks of
personnel, unplugged spare equipment left
mounted in rack, etc.

18
CIP – TRE, con’t.
• Requested laptop with CIP access
• Requested inventory of all low impact BES Cyber
Systems
• Significant volume to certain DRs – large sample
sizes
• Use of NP-view software- network path
connectivity and validation of access control lists

19
CIP - WECC
• CIP Interviews followed templates published by others
on WICF
• Less extensive “live” demonstrations
– More top-down approach to each standard
• Interviews included SMEs reiterating procedures “in
own words”
• ‘CIP Data Set’ and ‘CIP Request For Information’
differed from TRE/NERC version
• WECC walk-thru included workstation logins
– Ping corporate network from device w/I ESP to validate
network segregation and to ensure antivirus up-to-date
• Focused on validation of self-reported items

20
O&P - TRE
• TOP Information Request - not posted on TexasRE.org
– Narrative responses regarding CC displays and operations capabilities such as
voltage, load shed, real-time status, alarming, etc.
– Photos of comm capabilities, TOAPs, screen shots of available procedures
– Summary of TNMP’s disaster recovery and fail over plans / capability
– Delegation agreements
• ‘PRC-005 Spreadsheet’ – posted on TexasRE.org
• Comparison of evidence against prior/current ERCOT
documentation
– e.g. FAC-008 MLSE vs. the SSWG data from ERCOT
• Significant and in-depth DRs
– TRE indicated generally issue 150 CIP questions and another 150 O&P
on average
21
O&P - WECC
• O&P System Operator Interviews followed
templates published by WICF
– Additional event-related questions
• Protection Systems Maintenance Summary
spreadsheet – replaced ‘Attachment G’
• Requested explanations of FAC-008 changes
against prior (2014) audit materials
• Completed and reported results of on-site
validation of self-report scope and
remediation/mitigation

22
ERCOT Operating Guides and Protocols Audits
• TRE reviews compliance on behalf of Public Utility
Commission of Texas or “PUCT”
– PUCT handles enforcement at recommendations of TRE
– 90 calendar day notification and 45 calendar day submittal (August 22,
2014 notification for November 11, 2014 start date)
• Separate TRE group dedicated to ERCOT OG & P
• Not on NERC Audit cycles – undefined frequency
• Questionnaires rather than RSAWs
• Less formal and defined than NERC Audits but generally
follows enforcement process – self-reporting, mitigation
plans, etc.
23
Q&A

Laurie Williams
Senior Manager, Ops and Planning Reliability Compliance
Phone: 505-241-0641
[email protected]

24
PANEL: Sparing Strategies for
Transformers
Sparing Strategy at NPPD

Art Wiese
Transmission & Distribution Manager
Nebraska Public Power District
Transformer Spare Analysis

RMEL Meeting
January 30, 2018
Background
 The electric power industry is coming under increasing
scrutiny/pressure to ensure the reliability of the grid under new
kinds of threats. Threats include both physical and cyber attacks,
or even naturally occurring events (severe storms, solar activity),
that could cause extensive damage. Examples are:
 Recent attacks on the electrical system, including the rifle attacks disabling
transformers at Metcalf in California,
 The use of cyber-warfare to disrupt the power supply in the Ukraine,
 Super Storm Sandy highlighted the growing risk to the utility industry.
 NPPD is considering stocking additional equipment to respond to
these events

2
Background
 Spare Transformers In Stock:
 345/115 kV
 230/115kV
 Additional Spare Transformer NPPD is Considering:
 345/230 kV

The quantity/rating of the desired spares are based on an event

occurring at any one of our BES substations

3
Third Party Proposal
 Members nominate what they need, and third party keeps on hand a
quantity that would meet any one members needs during a qualifying
event.
 Here is an example:
Members nominated 2 identical transformers.
Third party determined it will store 1
Each member pays 1/2 of the carrying costs to hold 1 in
inventory.
 This is like paying the carrying cost of 1/2 transformer
 The material will have full vendor warranty upon delivery to member
 Upon a “Qualifying Event”, members purchase the items at the original
cost, and are responsible for the delivery-to-site costs as well.

4
NPPD Position
 Based on preliminary pricing, the annual cost to store this same
“nominated” inventory at NPPD would be the lower cost option
 NPPD will continue to monitor industry activity to see if the
business case changes.

Other Considerations
 To take advantage of Warranty, NPPD would likely install a new
transformer and placed a “used” transformer in inventory

5
Questions?
Ameren Transmission Sparing and
Resiliency Strategy

Luke Wollin
Director, Transmission Design
Ameren
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

Ameren Transmission Security, Spare and

Resiliency Strategy
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
.............................................................................................................................................................................................................................................

Luke Wollin, PE
Director, Transmission Design

1 NOC December 2017

...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

Ameren Corporate
Fully rate-regulated electric and gas utility
• 2.4 million electric and 0.9 million gas customers
• 10,200 megawatts (MW) of regulated electric generation capability
• Over 7,900 miles of regulated electric transmission
• 2016 Ameren rate base: $13.4 B

Ameren Corporation

Ameren Missouri Ameren Illinois Ameren Transmission Company, LLC

• Vertically integrated electric • Electric and gas delivery and • Invests in regional projects
generation, transmission and electric transmission • Regulated by FERC
delivery and gas delivery business
business • Serves 1.2 million electric
• Serves 1.2 million electric and 0.8 million gas
and 0.1 million gas customers
customers • Invests in local reliability
• 10,200 MW of total projects
generation capability • Regulated by ICC2
• Regulated by MoPSC1

1 Missouri Public Service Commission

2 Illinois Commerce Commission

2 NOC December 2017

2
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

Ameren Transmission Organization

Dedicated to investing in and expanding Ameren’s transmission system
• Over 100 years experience planning,
constructing, operating and maintaining over
7,900 miles of high voltage transmission lines
in Illinois and Missouri:

Voltage Missouri Illinois Total Miles

138 kV 1,296.5 3,440.2 4,736.7

161 kV 718.5 109.4 8,279.9

230 kV 0 138.2 138.2

345 kV 954.9 1,253.3 2,208.2

Total 2,969.9 4,941.1 7,911.0

1 Excludes investment in Missouri Transmission

2 2017-2021 Forecast

3 NOC December 2017

3
Substation Security Strategy
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

• Tiered BES Substations into 5 categories

• Typical installation includes:

– Installation of cameras, motion detectors in the yard and control house
– Additional yard and control house lighting
– Replacing fencing including anti cut steel cables
– Access to yard and control house by card reader only

• Minimum installation is a card reader at the control house

4 NOC December 2017

Current Transformer Spares Strategy
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

• Maintain a 99% availability of EHV units due to manufacturing lead time for replacement EHV
transformers of 15-18 months

• Inventory of 4 extra high voltage (EHV/345 kV) spare transformers is currently maintained
– Spare transformers are strategically located at sites with convenient railroad access
– Spare for all voltage classes and MVA sizes
– A spare EHV transformer could be moved and installed in place of a failed or failing unit in 6 weeks
– Specialized railcar purchased for hauling EHV transformers across our system

5 NOC December 2017

• Member of EEI STEP, a sharing program for the catastrophic loss of multiple transformers
– Presidential declaration of emergency due to an act of terrorism required to trigger

• On October 2, 2017 joined the RESTORE transformer sharing agreement with 24 other utilities
– Triggered by a major event due to an act of terror, natural disaster, or other events creating an
urgent grid need
– Regional sharing agreement with utilities primarily located in the southeast
– Can be expanded to include other long lead items such as breakers and transmission line towers

6 NOC December 2017

Current Strategy for Other Spare Transmission Equipment
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

• Power Circuit breakers and protection devices (relays) required to backup most
transmission substation devices are currently maintained.
– In an emergency, substation equipment would be removed from operation at
unaffected substation or taken from in-progress projects.

• Spare structures, conductor and other materials necessary to restore about 5 miles of
transmission line are maintained
– Lines have hardened storm structures every 5-10 miles to stop a cascading failure
– Rebuilding 5 line miles takes 3-4 weeks, which is the lead time on additional
structures/hardware
– In the event of a larger emergency, other utilities could supply material and manpower

• Special line towers and river crossings are not spared due to the large design variation

7 NOC December 2017

Long-Term Transmission Resiliency Strategy
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

• Overall strategy is to identify and maintain spare equipment to mitigate the risk of extended
outages due to long lead times of certain high voltage equipment

• Long-term resiliency plan includes the following goals to mitigate potential risks
– Replace any piece of substation equipment in 6 weeks
– Restore load to metropolitan areas in 2 weeks after a coordinated physical attack. All
lines back in
– Replace equipment to operate the system normally within 6 months due to the total
loss of a substation
– Rebuild 5 miles of transmission line within 1 month
– Replace a key transmission structure within 6 months

8 NOC December 2017

• Replace aging transformers at the most critical locations with hardened units
– Transformer tank capable of withstanding a .50 caliber shot from 15’
– Radiators equipped with valves actuated if a bullet is detected
– Dry-type polymer bushings which do not fail catastrophically if punctured

• Acquire mobile spare EHV transformers which can be installed in 2 weeks

– Single phase transformers designed to be shipped by truck without special permits

• Purchase spare control house for transmission substations

– Equipped with a set of standard panels for typical substation

• Increase inventory of other long-lead substation spare equipment

– Breakers, disconnect switches, instrument transformers, insulators have lead times of 4-6 months
– Maintain spare levels to rebuild a large transmission substation
– Use spare equipment on projects and replace in order for spares to be under warranty

• Design and develop spare transmission structures for special structures on critical lines
– Special long span structures (river crossings) take 12-18 months to design, procure and install
– Install physical security at key structures to detect and prevent physical attack

9 NOC December 2017

Transmission System Resiliency
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................
...............................................................................

• Active member of industry-wide NATF resiliency transmission advisory group

– Provides direction to the industry on resiliency including threats, vulnerabilities,
countermeasure costs and effectiveness, and gaps in transmission system resiliency

• Participating in the EPRI EMP (electromagnetic pulse) research study

– Three year study which concludes in January 2019

• Performing projects to provide redundancy and reinforce Ameren’s transmission

system

10 NOC December 2017

11
Western Area Power
Administration. Transformer Risk
Strategy for High Impact Low
Frequency Events

Chris Lyles
Asset Management Specialist
Western Area Power Administration
Transformer Risk Strategy
High Impact Low Frequency Events

Subject, Office or event
Topics
 Overview of WAPA
 Transformer Spare Need

 Objectives

 High Impact Low Frequency Events (HILF) and Quantities

 Alternatives for Evaluation
 WAPA Stored Inventory
 WAPA In‐Service Spares
 Grid Assurance

 Project Timeline
Subject, Office or event 2
Overview of WAPA
• Part of the Department of Energy. One of four
Power Marketing Administrations (PMAs)
• 15 State Footprint
• 1400 employees. Four regions, one HQ
• Over 700 wholesale customers
• 17,000 miles of high voltage transmission
• 319 Substations
• Approximately 440 large power transformers

Subject, Office or event 3
Operational Spares Vs. HILF Spares

Subject, Office or event 4
Why are Spare Transformers Needed?
 WAPA has a reliability requirement to its customers, and the bulk
electric system, to be prepared for the loss of transformers.
 The unanticipated loss of a transformer in the bulk electric system
directly impacts the resiliency/reliability of the system.
 Large Power Transformers typically have an acquisition lead time
of 18‐24 months.
 Unique characteristics of transformers require custom build.
 Transformer can weigh up to 100 tons and contain 25,000 gallons of oil.
Transportation requires multiple specialized vehicles, road permits, and task
specific crews.

Subject, Office or event 5
Typical WAPA Large Power Transformer

Subject, Office or event 6
Specialized Transportation

Subject, Office or event 7
Analysis Objectives
 Develop and analyze alternatives for response to high impact low
frequency events resulting in loss of multiple transformers.
 Solicit feedback from WAPA subject matter experts (SMEs) and
WAPA Customers.
 Develop final recommendation incorporating customer feedback
and regional expertise.
 Analysis and subsequent report is a WAPA‐wide strategy intended
to produce a recommendation that most efficiently uses WAPA’s
entire fleet of transformer options.

Subject, Office or event 8
Event Definition
 WAPA Analysis
 Define three high impact low frequency event types.
 Assume loss of all large power transformers within impacted site.
 Local Event
 Event center at WAPA facility.
 Impacted sites are within 5 mile radius of center.
 All WAPA facilities could be center of event.
 Seismic Event
 Event center at Tracy or Mead facility.
 Impacted sites are within 80 mile radius of center.
 Targeted Event
 Event center at major population centers and military installations – 9 sites identified.
 Impacted sites are within 50 mile radius of center.

Subject, Office or event 9
Spares Needed
 Quantities

 Why Now?
 Threat of physical, calculated attacks on electrical infrastructure.
 Potential vulnerabilities in the electrical utility industry have been identified.
 Power systems are being operated closer to their operating limits.

Subject, Office or event 10
Alternatives Currently Under Evaluation
 WAPA Warehoused Alternative

 WAPA System Enhancement Alternative

 Grid Assurance Alternative

 Hybrid Alternative

 No Action – Status Quo

Subject, Office or event 11
Project Timeline
 Develop draft transformer strategy analysis for HILF
events
 Present strategy to customer groups and solicit
feedback (stakeholder outreach)
• Modify strategy based on feedback and submit to WAPA
senior managers
• Finalize strategy, recommendations, and develop funding
proposal
• Final stakeholder outreach and strategy execution

Subject, Office or event 12
Questions???

Chris Lyles
Asset Management Specialist
[email protected]
720‐962‐7249
Subject, Office or event
Critical Infrastructure Protection
Through Defense-in-Depth

Ruben Robles
Manager, Critical Infrastructure Protection
SRP
NERC CIP AND DEFENSE-
IN-DEPTH
Ruben Robles – January 30, 2018
Presenter’s Bio
 Ruben Robles, Manager – SRP ERC CIP Team
 [email protected]
 602-236-8910
 @RubenRobles18
 https://www.linkedin.com/in/roblesruben/
 Bachelor of Science in Electrical Engineering
 Master of Science in Information Management
 Master of Science in Cyber Security and
Information Assurance
 Arizona Professional Engineer Registration

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Objectives
 Comprehend Defense-in-Depth concept
 Understand how the CIP standards map to the
Defense-in-Depth concept
 Realize how the Defense-in-Depth concept applies
to different use cases
 Recognize the key take-aways

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth
 Nothing/no one is perfect

Everything has a weakness

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth

Graphic Courtesy: https://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth - NSA
 Assumption
 No security solutions are sufficient and complete
 Multiple layers of defense mechanisms
 Protect

 Detect

 React

 Balanced focus
 People

 Technology

 Operations
RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth - DHS
 Assumption
 No ”silver bullet” to solve cybersecurity vulnerabilities
 Multiple layers of defense mechanisms
 Protect

 Detect

 Respond

 Holistic approach to protect:

 Operations

 Personnel

 Technologies
RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth - SANS
 Assumption
 No single measure can adequately protect a network
 Protecting through a series of defense mechanisms
 Effective
security plan
 Layers of defense:
 Operations

 Personnel

 Technologies

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Example - Bank
 Laws
 Cameras
 Security guard
 Bulletproof glass
 Vault/operational procedures
 Dye/track packs Graphic Courtesy: http://www.tssbulletproof.com/

 Incident response procedure/911

The sum is much more effective than any
one measure
RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth
 Overall Purpose: To resist attack - NSA

Graphic Courtesy: SRP Cyber Security Services

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth and the CSF

NIST CYBER SECURITY FRAMEWORK

Identify Protect Detect Respond Recover
DEFENSE-IN-DEPTH

CIP-002 CIP-003, 004, 005,

CIP-008 CIP-009
CIP-014 006, 007
RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth - People

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - People
 CIP-003 – Security Management Controls (low BCS)
 R1 Cyber security policies
 R2 Cyber security plan
 Attachment 1, Section 1 Cyber security awareness
 Attachment 1, Section 2 Physical security controls

 R3 Identify CIP Senior Manager

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - People
 CIP-004 – Personnel & Training
 R1 Security Awareness
 R2 Cyber Security Training

 R3 Personnel Risk Assessment (PRA)

 R4 Access Management (Authorization)

 R5 Access Revocation

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - People
 CIP-006 – Physical security
 R1 Physical security plan
 R2 Visitor control program

 R3 PACS maintenance and testing

 CIP-010 – Config management and assessments

 R4 Transient Cyber Assets (TCAs)
 Attachment 1 Section 1.2 & 3.1 TCA authorization
 CIP-014 – Physical Security
 R5 Physical security plan for critical stations

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Technology

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Technology
 CIP-003 – Security management controls (low BCS)
 R2 Cyber security plan
 Attachment 1, Section 3 Electronic access controls
 CIP-005 – Electronic security perimeters
 R1 Isolation, EAPs, access control, authentication, IDS
 R2 Intermediate IRA system, encryption, MFA,

 CIP-007 – System security

 R1 Enable only needed logical and physical ports
 R3 Deter, detect, prevent, mitigate malicious code

 R5 Enforce authentication and password hygiene

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth - Technology
 CIP-010 – Config management and assessments
 R4 Transient Cyber Assets (TCAs)
 Attachment 1 Section 1.4 & 2.2 & 3.2 Mitigate malicious
code
 Attachment 1 Section 1.5 Disk encryption and MFA

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Operations

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Operations
 CIP-002 – BES Cyber system categorization
 R2 Approval by CIP Senior Manager of identification
 CIP-003 – Security Management Controls (low BCS)
 R2 Cyber security plan
 Attachment 1, Section 4 Cyber security incident response
 CIP-007 – System security
 R2 Patch management
 R4 Security Event Monitoring

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Operations
 CIP-008 – Cyber incident response and reporting
 R2 Plan implementation and testing
 R3 Plan review, update, and communication

 CIP-009 – Recovery plans

 R2 Plan implementation and testing
 R3 Plan review, update, and communication

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Operations
 CIP-010 – Config management and assessments
 R1 Configuration change management
 R2 Configuration monitoring

 R3 Vulnerability assessments

 R4 Transient Cyber Assets (TCAs)

 Attachment 1 Section 1.1 TCA management
 Attachment 1 Section 1.3 & 2.1 TCA Patching and system
hardening
 Attachment 1 Section 2.3 TCA Additional mitigation actions

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Operations
 CIP-011 – Information protection
 R1 Identify & protect BES Cyber System Information
 R2 BCA reuse and disposal

 CIP-014 – Physical Security

 R3 Communication of identification and verification
 R4 Transmission station risk assessments

 R6 Security plan review

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Remote Access
1) Policies (People) 9) IDS (Technology)
2) Awareness and training 10) Event monitoring (Operations)
(People) 11) AV/Whitelisting (Technology)
3) Procedures (Operations) 12) Patching (Operations)
4) Enterprise Firewall (Technology) 13) Authentication enforcement
5) Authorization (People) (Technology)
6) Internal Firewall (Technology) 14) Password hygiene
7) VPN/MFA (Technology) (Operations)
8) Encryption (Technology)

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Defense-in-Depth - Local Access
1) Policies (People) 10) Event monitoring (Operations)
2) Awareness and training 11) AV/Whitelisting (Technology)
(People) 12) Patching (Operations)
3) Procedures (Operations) 13) Port restrictions (Technology)
4) Authorization (People) 14) Authentication enforcement
5) Gates/walls (People) (Technology)
6) Card authentication (People) 15) Password hygiene
7) Internal Firewall (Technology) (Operations)
8) IDS (Technology)
9) Network isolation (Technology)
RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth - Malicious Code
1) Policies (People) 10) Port restrictions (Technology)
2) Awareness and training 11) Authentication enforcement
(People) (Technology)
3) Procedures (Operations) 12) Password hygiene
4) Enterprise Firewall (Technology) (Operations)
5) Internal Firewall (Technology)
6) IDS (Technology)
7) Event monitoring (Operations)
8) AV/Whitelisting (Technology)
9) Patching (Operations)
RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles
Defense-in-Depth - Insider Threat
1) PRA (People) 9) Event monitoring (Operations)
2) Policies (People) 10) Patching (Operations)
3) Awareness and training 11) Password hygiene
(People) (Operations)
4) Procedures (Operations)
5) Least privilege (People)
6) Separation of duties
(Operations)
7) Gates/walls (People)
8) Card authentication (People)

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Key Take-Aways
 All people, technology, and operations practices
have security flaws.
 There are too many attack vectors for any one
security measure to protect.
 People are the biggest vulnerability, but the
malicious insider is the biggest threat.
 Layers of security measures can mitigate against
security flaws, multiple attack vectors, and the
insider threat.

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

Sources
 https://www.iad.gov/iad/library/ia-guidance/archive/defense-in-
depth.cfm
 https://www.us-
cert.gov/bsi/articles/knowledge/principles/defense-in-depth
 https://www.sans.org/reading-room/whitepapers/basics/defense-
in-depth-525
 https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-
CERT_Defense_in_Depth_2016_S508C.pdf
 https://www.schneier.com/blog/archives/2005/02/the_we
akest_lin.html
 https://www.nist.gov/sites/default/files/documents/cyberfr
amework/cybersecurity-framework-021214.pdf

RMEL, 01/30/2018 CIP Through Defense-in-Depth, R. Robles

CIP and Defense-in-Depth
Thank you
Organizational Preparedness For
An Active Threat Incident

Gilbert D. Flores
Emergency Management Specialist
Western Area Power Administration

Tiffani DeFore
Emergency Management Program Manager
Western Area Power Administration
Organizational preparedness for
an active threat incident
Tiffani DeFore & Gilbert Flores
WAPA Emergency Management Program

January 31, 2017

RMEL’s Physical & Cyber Security Conference
Tempe, AZ

Subject, Office or event

Background
• Simulated event
• Two disgruntled members of the public enter building through
unsecure side door
• Exercise lasted approximately 40 mins
• Time shooting began to apprehending shooters
• Federal Protective Service conducted the exercise
• Local Federal and City Law Enforcement
• External observers
• WAPA employees volunteered as victims
• Employees prepared through
• Training
• Email messages
• One-on-one discussions/
quick reference card
• Employee staff meetings

Subject, Office or event 2

Scenario
On Sep 14, 2017, at 9:07am, two
FPS officers acting in the roles of
active shooters initiated the exer-
cise by firing 12-gauge shotgun
blank rounds simultaneously on
the first and third floor near the
northwest end of the building.
The two active shooter role players
then proceeded with their actions,
one acting on the first and second
floors and one on the third floor.
Approximately 5 minutes after initiation, the first two responding law enforcement
officers made entry into the WAPA HQ building. All other responding law
enforcement officers arrived and made entry between 7-10 minutes after
initiation.
Some employees made the decision to stay and hide according to their respective
plans while most employees were able to safely exit the building.
The responding law enforcement officers were able to locate and stop the active
shooter role players by 9:52am, thus terminating the exercise.

Subject, Office or event 3

EM role in exercise
• Coordinated with Federal Protective Service
• Date and time
• Communications to senior management
• Worked with leadership to
ensure desired communication
with employees
• Communications to employees
• Employee training
• FPS mandatory all participant
training
• Email reminders
• Fact sheet
• Information sharing with other Federal agencies
• Colorado Federal Executive Board,
Emergency Preparedness Council

Subject, Office or event 4

FAQ example

Who
What
Why
Where

Subject, Office or event 5

Day of Exercise
• Participation
• Voluntary
• Employee participation level
• Volunteer victims
• Guard service
• Controls
• Screening
• Safety brief
• Holding area
• Safe zone
• Role play controllers
• Observers

Subject, Office or event 6

Post exercise
• Hot Wash
• All employee invitation
• Review of exercise
• Allowed for decompression
• FPS debrief–two months later
• Video and closing remarks
• Table top exercise
• What leadership needs to think about after an active
shooter event
• Employee accountability

Subject, Office or event 7

Next Steps
• Bring Exercise to WAPA regional office
• Work with local staff
• Coordinate with local law enforcement or FPS
• Training run, hide, fight
• Things to think about
• Notification protocols in place
• Orders of succession
• Crime scene
• Can duties be devolved
• Dealing with post-traumatic issues

Subject, Office or event 8

Questions/Contacts

Tiffani DeFore Gilbert Flores

EM Program Manager EM Specialist
WAPA WAPA
[email protected] [email protected]
720.962.7216 720.962.7545

Subject, Office or event 9

Active Vulnerability Assessments for
High Impact BES Cyber Systems

Ruben Robles
Manager, Critical Infrastructure Protection
SRP
Electric Reliability Compliance

Active Vulnerability Assessments for

High Impact BES Cyber Systems
RMEL Physical and Cyber Security Conference
Tempe, AZ
January 31, 2018

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 1
Presenter Bio
Electric Reliability Compliance

About Me
• Ruben Robles, Manager – SRP ERC CIP Team
• [email protected]
• 602-236-8910
• @RubenRobles18
• https://www.linkedin.com/in/roblesruben/
• Bachelor of Science in Electrical Engineering
• Master of Science in Information Management
• Master of Science in Cyber Security and Information Assurance
• Arizona Professional Engineer Registration
• 11yrs in Telecommunications
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R 2
Robles, 01/30/18
Objectives
Electric Reliability Compliance

• Review CIP-010 R3.2

• Provide overview of NERC and WECC guidance
• Examine NIST publication 800-115
• Dive into industry practices

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 3
About Salt River Project
Electric Reliability Compliance

Statistics
Authorized under the National Reclamation Act
Serving Central Arizona since 1903
Provide generation, transmission, and distribution services
Nation’s third-largest public power utility
BA, DP, GO, GOP, PA/PC, RP, TO, TOP, TP, & TSP within WECC

Employees – 5,186 Service Territory – 2900mi2

Peak Load – 6,873 MW Transmission – >3,000 mi
Customers – Approx. 1M Distribution – <20,000 mi
Substation – 319 High Impact BCS – 2
Generation Units – 46 Medium Impact BCS – 21
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 4
CIP-010 R3.2
Electric Reliability Compliance

Word for Word

• Perform an active vulnerability assessment
– in a test environment,
– or perform an active vulnerability assessment in a
production environment
• where the test is performed in a manner that minimizes adverse
effects
– that models the baseline configuration of the BES Cyber
System in a production environment; and…
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 5
CIP-010 R3.2
Electric Reliability Compliance

Word for Word

• Document
– the results of the testing and,
– if a test environment was used,
• the differences between the test environment and the production
environment,
• including a description of the measures used to account for any
differences in operation between the test and production
environments

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 6
CIP-010 R3
Electric Reliability Compliance

NERC Guidance
• “…models the baseline configuration of the BES Cyber
System”
– Guidance and Technical Basis
• “…the requirement is to ‘model’ the baseline configuration and
not duplicate it exactly.”
• “…BES Cyber System at a Control Center to be modeled that may
not otherwise be able to be replicated or duplicated exactly.”
– Red Seal

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 7
Active Vulnerability Assessment
Electric Reliability Compliance

Plan of Action
• Determine purpose
• Determine objective
• Determine capabilities
• Determine resources
• Create sustainable processes

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 8
CIP-010 R3
Electric Reliability Compliance

NERC Guidance
• Active Vulnerability Assessment
– Network Discovery
– Network Port and Service Identification
– Vulnerability Scanning
– Wireless Scanning

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 9
Active Vulnerability Assessment
Electric Reliability Compliance

Network Port and Service Identification (NERC Guidance)

• Use of active discovery tools (such as Nmap) to discover
open ports and services.
• Purpose
– Flag potentially vulnerable services (NIST SP800-115)

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 10
Active Vulnerability Assessment
Electric Reliability Compliance

Vulnerability Scanning (NERC Guidance)

• Use of a vulnerability scanning tool to identify network
accessible ports and services along with the
identification of known vulnerabilities associated with
services running on those ports.
– Purpose (NIST SP800-115)
• Check compliance with host application usage and security policies
• Provide information on targets for penetration testing
• Provide information on how to mitigate discovered vulnerabilities
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 12
Active Vulnerability Assessment
Electric Reliability Compliance

Vulnerability Scanning
• CIP-010 R1
– Document logical network accessible ports for the baseline
• Tools
– Tenable – Nessus
– Rapid7 – Nexpose
– Tripwire – IP360
Courtesy: https://www.gartner.com/reviews/market/vulnerability-assessment

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 13
Active Vulnerability Assessment
Electric Reliability Compliance

Network Discovery (NERC Guidance)

• Network Discovery - Use of active discovery tools to
discover active devices and identify communication
paths in order to verify that the discovered network
architecture matches the documented architecture.
– Purpose (NIST SP800-115)
• Detect unauthorized or rogue devices operating on a network
• Gathering information for topology maps
• Discovering vulnerabilities in systems and network configurations
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 14
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (NERC Guidance)

• Wireless Scanning – Use of a wireless scanning tool to
discover wireless signals and networks in the physical
perimeter of a BES Cyber System. Serves to identify
unauthorized wireless devices within the range of the
wireless scanning tool.
• Purpose
– “identify unauthorized wireless devices within the range of
the wireless scanning tool”
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 17
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (WECC Guidance)

• WECC Compliance Workshop
– November 14, 2017
– Look for “the presence of wireless networks in the area.”
– “If they exist and are not authorized by you, that’s a
vulnerability you need to explore.”

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 18
Active Vulnerability Assessment
Electric Reliability Compliance

Determine Objective
• How do you address the new device/network?
• Possible objectives
– Ensure the signal strength is weaker
– Identify the device/SSID/BSSID
– Ensure the device is not on the BCS
– Ensure the device complies with org’s policy
– Ensure SSID is not broadcast
– Update documentation
– Confirm wireless isn’t being used for the BCS
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 19
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Passive vs. Active)

• Description
– Passive scans transmit no data, nor do the tools, in any way,
affect the operation of deployed wireless devices.
• Purpose
– Remain undetected
• Weaknesses
– May not receive all transmissions
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 20
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Passive vs. Active)

• Description
– Attempts to attach to discovered devices
• Purpose
– conduct penetration or vulnerability-related testing
• Weakness
– May scan or connect to devices not owned by the
organization
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 21
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Resources)

• Devices and SSIDs marked on a map
• Devices are investigated to ensure they are not in the
ESP
• Basic scanning with visual review
• Match BSSIDs to known BSSIDs
• Wireless IDS (WIDPS)

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 22
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Tools)

• Netsh

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 23
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Tools)

• Netsurveyor
– Free
– PDF Reports
– Beacon quality
– Diagnostic charts
– Data playback
– Heatmaps
Graphic Courtesy: http://nutsaboutnets.com/netsurveyor-wifi-scanner/
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 24
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Tools)

• Kismet
– Free
– Logs all sniffed packets
– Detects active sniffers
– WIDPS features
– Maps
Graphic Courtesy: https://www.kismetwireless.net/

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 25
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Tools)

• Acrylic Wifi
– Free (Almost)
– Heatmaps
– Packet viewer
– Reports

Graphics Courtesy: https://www.acrylicwifi.com/

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 26
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Tools)

• Ekahau
– Heatmap
– Spectrum analysis
– Identify rogue APs
– Fake beacons
– Detects RF Jamming
Graphics Courtesy: https://www.ekahau.com/products/ekahau-site-survey/features

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 27
Active Vulnerability Assessment
Electric Reliability Compliance

Wireless Scanning (Tools)

• Airwave
– WIDPS
– Heatmaps
– Reports
– Config audits

Graphics Courtesy: http://www.arubanetworks.com/

RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 28
Sources
Electric Reliability Compliance

• NERC CIP-010-2 • Ekahau

• NIST SP800-115 • Airwave
• WECC Compliance Workshop
*6Hrs 18min into the recording

• Netsurveyor
• Kismet
• Acrylic
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 29
RMEL, Active Vulnerability Assessments for High Impact BES Cyber Systems, R Robles, 01/30/18 30

Cybersecurity Rules for EU Providers
No ratings yet
Cybersecurity Rules for EU Providers
16 pages
DQS India Training Courses
No ratings yet
DQS India Training Courses
47 pages
Cybersecurity Architect Profile
No ratings yet
Cybersecurity Architect Profile
8 pages
Cyber Essentials Question Booklet v14 Montpellier
No ratings yet
Cyber Essentials Question Booklet v14 Montpellier
30 pages
SA8000 Worker Awareness Training Presentation
No ratings yet
SA8000 Worker Awareness Training Presentation
6 pages
Practical - Cybersec Audit - PAF - Tauffik - Segara - Purba
No ratings yet
Practical - Cybersec Audit - PAF - Tauffik - Segara - Purba
18 pages
FY25 SSPA Program Guide v10 - en US
No ratings yet
FY25 SSPA Program Guide v10 - en US
18 pages
Aravind Subramaniyan - v112
No ratings yet
Aravind Subramaniyan - v112
4 pages
NIS2 Presentation
No ratings yet
NIS2 Presentation
77 pages
ISMS - 003 Physical and Environmental Security Policy
No ratings yet
ISMS - 003 Physical and Environmental Security Policy
12 pages
Mappings Between ISO 12207, IsO 15504 (SPICE), Software CMM
No ratings yet
Mappings Between ISO 12207, IsO 15504 (SPICE), Software CMM
7 pages
IASME Governance and Cyber Essentials Questions Booklet - Vevendine
No ratings yet
IASME Governance and Cyber Essentials Questions Booklet - Vevendine
58 pages
Chief Cybersecurity Manager Resume
No ratings yet
Chief Cybersecurity Manager Resume
6 pages
Asif Parwez
No ratings yet
Asif Parwez
4 pages
Sirim Training Atp-2025
No ratings yet
Sirim Training Atp-2025
40 pages
EVPLC SEC5 Assessment Report
No ratings yet
EVPLC SEC5 Assessment Report
7 pages
Smart Railways... or Not So Smart A Cyber Security Perspective
No ratings yet
Smart Railways... or Not So Smart A Cyber Security Perspective
10 pages
WhitePaper - MPLS and NERC CIP Compliance BellLab
No ratings yet
WhitePaper - MPLS and NERC CIP Compliance BellLab
28 pages
NIST SP 800-53B Control Baselines Guide
No ratings yet
NIST SP 800-53B Control Baselines Guide
102 pages
Mohamed Al Masri - CV
No ratings yet
Mohamed Al Masri - CV
1 page
AbhishekMishra Profile Security
No ratings yet
AbhishekMishra Profile Security
3 pages
Cat Corp Security CPP Physical Security 07 PART II
No ratings yet
Cat Corp Security CPP Physical Security 07 PART II
122 pages
Itu-T: Technical Security Measures For Implementation of ITU-T X.805 Security Dimensions
No ratings yet
Itu-T: Technical Security Measures For Implementation of ITU-T X.805 Security Dimensions
32 pages
Multi Sensor Fusion and Integration Seminar Report
No ratings yet
Multi Sensor Fusion and Integration Seminar Report
4 pages
Santosh Hariharan - CV
No ratings yet
Santosh Hariharan - CV
5 pages
Domain: Information Security Domain: Information Security
No ratings yet
Domain: Information Security Domain: Information Security
4 pages
Iso 27001 Isms La
No ratings yet
Iso 27001 Isms La
2 pages
Telecom & IoT Business Development Resume
No ratings yet
Telecom & IoT Business Development Resume
2 pages
DORA LEAD MANAGER PART 1 Noureddine Kanzari 1736276022
No ratings yet
DORA LEAD MANAGER PART 1 Noureddine Kanzari 1736276022
150 pages
CSMP Endorsement
No ratings yet
CSMP Endorsement
4 pages
Poa - Crisis Management: Jonathan Taormina, CPP, CFE, PCI
No ratings yet
Poa - Crisis Management: Jonathan Taormina, CPP, CFE, PCI
16 pages
SABIC CyberTrust Standard v1.0
No ratings yet
SABIC CyberTrust Standard v1.0
18 pages
Security Conditions and Requirements To Install CCTV
No ratings yet
Security Conditions and Requirements To Install CCTV
12 pages
CCC Guideline - General Requirements - Feb-2022
No ratings yet
CCC Guideline - General Requirements - Feb-2022
8 pages
23 Msc-Cyber Security
No ratings yet
23 Msc-Cyber Security
108 pages
Secure Software Architecture Guide
No ratings yet
Secure Software Architecture Guide
124 pages
Development of Industrial Cyber Security Standards: Iec 62443 For Scada and Industrial Control System Security
No ratings yet
Development of Industrial Cyber Security Standards: Iec 62443 For Scada and Industrial Control System Security
6 pages
Electronic Security Systems Engineer
No ratings yet
Electronic Security Systems Engineer
3 pages
Security Project Management Expert
No ratings yet
Security Project Management Expert
4 pages
Question Set IASME Governance Including CE Vbeacon
No ratings yet
Question Set IASME Governance Including CE Vbeacon
114 pages
Security Symbols: Diagram For Lab Building Security Intercom Single-Line
No ratings yet
Security Symbols: Diagram For Lab Building Security Intercom Single-Line
1 page
Under Vehicle Scanning System (Uvss) : Vehicle Surveillance at Its Best
No ratings yet
Under Vehicle Scanning System (Uvss) : Vehicle Surveillance at Its Best
8 pages
IK Manufacturers 01 Jun 2024
No ratings yet
IK Manufacturers 01 Jun 2024
596 pages
Hari Prasath.C - 2024 Security-ELV Engineer.
No ratings yet
Hari Prasath.C - 2024 Security-ELV Engineer.
3 pages
C S I E .: A I ISA/IEC 62443: Kenexis
No ratings yet
C S I E .: A I ISA/IEC 62443: Kenexis
15 pages
Telecom Engineering Expert Profile
No ratings yet
Telecom Engineering Expert Profile
2 pages
Syed Azizuddin Ahmed: Phone: +974 33278289, Address: B-22, Z-39, Al Sadd, Doha, Qatar
No ratings yet
Syed Azizuddin Ahmed: Phone: +974 33278289, Address: B-22, Z-39, Al Sadd, Doha, Qatar
3 pages
Detail - 1 1: UM AL
No ratings yet
Detail - 1 1: UM AL
1 page
ISO 27001 for Company Leaders
No ratings yet
ISO 27001 for Company Leaders
14 pages
Security Conditions and Requirements of The Hotels and Similar Facilities by SIRA
No ratings yet
Security Conditions and Requirements of The Hotels and Similar Facilities by SIRA
6 pages
BI-49-14044-0001 Master Gas System Expansion Phase III Main Pipelines
No ratings yet
BI-49-14044-0001 Master Gas System Expansion Phase III Main Pipelines
74 pages
Digital Personal Data Protection Act 2023
No ratings yet
Digital Personal Data Protection Act 2023
15 pages
Faisal M. Rana: Information Assurance Expert
No ratings yet
Faisal M. Rana: Information Assurance Expert
7 pages
Cybersecurity Expertise for Enterprises
No ratings yet
Cybersecurity Expertise for Enterprises
5 pages
FL Emergency Management Balai K3
No ratings yet
FL Emergency Management Balai K3
50 pages
OT SOC Manager with 23 Years Experience
No ratings yet
OT SOC Manager with 23 Years Experience
8 pages
Relacted: Via Hand Delivery
No ratings yet
Relacted: Via Hand Delivery
14 pages
Cyber Security Science Dec 2008
100% (1)
Cyber Security Science Dec 2008
36 pages
Distributed Energy Resource (DER) Cybersecurity Standards
No ratings yet
Distributed Energy Resource (DER) Cybersecurity Standards
27 pages
Generator Sizing for Engineers
100% (6)
Generator Sizing for Engineers
9 pages
Sizing Alternators For UPS Loads: Types of UPS Systems
100% (1)
Sizing Alternators For UPS Loads: Types of UPS Systems
6 pages
Island Power Motor Solutions
No ratings yet
Island Power Motor Solutions
21 pages
Alternators Reactance For Nonlinear Loads - White Paper - 26jul13
No ratings yet
Alternators Reactance For Nonlinear Loads - White Paper - 26jul13
6 pages
TRANS17 Ebinder
No ratings yet
TRANS17 Ebinder
267 pages
2015 Intro To Protection and Control - Hedding - 1
No ratings yet
2015 Intro To Protection and Control - Hedding - 1
59 pages
Advanced Synchronous Generator Topics IEEE Houston CED 9 10january2018
No ratings yet
Advanced Synchronous Generator Topics IEEE Houston CED 9 10january2018
187 pages
Arc Proof LV SWGR
No ratings yet
Arc Proof LV SWGR
36 pages
SUPPLY18 Ebinder
No ratings yet
SUPPLY18 Ebinder
171 pages
Distributed Energy Resources Integration: RMEL Spring Conference
No ratings yet
Distributed Energy Resources Integration: RMEL Spring Conference
20 pages
Arc Flash: Technical Perspective
No ratings yet
Arc Flash: Technical Perspective
29 pages
Arc Flash: Technical Perspective
No ratings yet
Arc Flash: Technical Perspective
29 pages
Temporary Protective Grounding in High Fault Current Locations
No ratings yet
Temporary Protective Grounding in High Fault Current Locations
20 pages
GEN16 Ebinder
No ratings yet
GEN16 Ebinder
95 pages
GEN17 Ebinder
No ratings yet
GEN17 Ebinder
197 pages
SAFETY18 Ebinder
No ratings yet
SAFETY18 Ebinder
91 pages
Distribution Overhead and Underground Operations and Maintenance Conference
No ratings yet
Distribution Overhead and Underground Operations and Maintenance Conference
166 pages
PEOPLE Vs Mahinay Digest
100% (1)
PEOPLE Vs Mahinay Digest
2 pages
A Shared Future 20050300
No ratings yet
A Shared Future 20050300
68 pages
As To The Tentative Theory of Crime
No ratings yet
As To The Tentative Theory of Crime
5 pages
Position Paper On Mayor Duterte
0% (1)
Position Paper On Mayor Duterte
1 page
4028 2500 600rs
No ratings yet
4028 2500 600rs
1 page
Anti Ragging Manoj M
No ratings yet
Anti Ragging Manoj M
15 pages
Cdi 1
No ratings yet
Cdi 1
6 pages
Journal 062015 PDF
No ratings yet
Journal 062015 PDF
68 pages
Macbeth Revision Booklet
100% (1)
Macbeth Revision Booklet
15 pages
Legal Battle: St. Paul's School Case
No ratings yet
Legal Battle: St. Paul's School Case
64 pages
PEOPLEvs MISION
100% (1)
PEOPLEvs MISION
1 page
Judgement of Mukesh Vs State of HP
No ratings yet
Judgement of Mukesh Vs State of HP
20 pages
Goldman Sachs & Bain Capital Fraud Exposé
No ratings yet
Goldman Sachs & Bain Capital Fraud Exposé
3 pages
Inhibition of Judges
No ratings yet
Inhibition of Judges
3 pages
Cipc Popia Privacy Policy v1.1 27102021
No ratings yet
Cipc Popia Privacy Policy v1.1 27102021
6 pages
S VARADARAJAN Vs STATE OF MADRAS
No ratings yet
S VARADARAJAN Vs STATE OF MADRAS
10 pages
Tli4801 Assignment 2
0% (1)
Tli4801 Assignment 2
8 pages
NISMAOL
No ratings yet
NISMAOL
2 pages
TNUSRB Exam Supervision Plan
No ratings yet
TNUSRB Exam Supervision Plan
7 pages
Quoted Hereunder, For Your Information, Is A Resolution of The Court en Banc Dated January 12
No ratings yet
Quoted Hereunder, For Your Information, Is A Resolution of The Court en Banc Dated January 12
2 pages
New Jersey Criminal Case Against World Mission Society Church of God
No ratings yet
New Jersey Criminal Case Against World Mission Society Church of God
193 pages
Constitution
No ratings yet
Constitution
28 pages
Mercantile Bar Review Material 2
No ratings yet
Mercantile Bar Review Material 2
108 pages
AVSEC Order No 02 2020 CTCP-1
No ratings yet
AVSEC Order No 02 2020 CTCP-1
1 page
A Position Paper On The Death Penalty
No ratings yet
A Position Paper On The Death Penalty
2 pages
AYUSH Exam Centers & Student Count
No ratings yet
AYUSH Exam Centers & Student Count
2 pages
702 Cyber Law-India Perspetive
No ratings yet
702 Cyber Law-India Perspetive
3 pages
Prisoners Reforms in India
No ratings yet
Prisoners Reforms in India
10 pages
Suncor Energy Scholarship Form
No ratings yet
Suncor Energy Scholarship Form
5 pages
Fero v. Kerby: Habeas Corpus Appeal
No ratings yet
Fero v. Kerby: Habeas Corpus Appeal
28 pages