Company Sponsored Cdl Training - PowerPoint

Document Sample
Company Sponsored Cdl Training - PowerPoint Powered By Docstoc
					              NERC
 Security Guideline Workshop
Sponsored by: APPA, EEI and NRECA

       George T. Miserendino

        Triton Security Solutions
      Solutions@TritonSecSol.com
             952-423-3457


                            Triton Security Solutions,Inc.
              Table of Contents
      NERC Security Guideline Workshop
      Overview and Development Session
    I. Overview and Development
    II. Electricity Sector Security Guidelines
         Vulnerability Assessment and Risk
          Assessment
         Threat Response
         Emergency Plans
         Continuity of Business
2
              Table of Contents, cont.
           Communications
           Physical Security
           Employment Screening
           Protecting Sensitive Information
           Cyber Security
              I.T. Risk Management
              Cyber Access Control
              I.T. Firewalls
              I.T. Intrusion Detection
     Process Control Systems Security
     Threat and Incident Reporting
3
    Security Guidelines…
    Executive Summary
     These guidelines describe:
        General approaches
        Considerations
        Practices
        Planning philosophies

     Implementation should reflect an individual
      organization‟s assessment of its own:
        Needs
        Vulnerabilities and consequences
        Tolerance for risk
4
    Security Guidelines
    Basic Objective

    The intent of the guidelines is to:
      Provide industry “Best Practices” for the
       protection of “Critical Facilities” against a
       “Spectrum of Threats”




5
    Participants in The Guideline
    Development Process
     North American Electric Reliability Council
       Critical Infrastructure Protection Advisory Group
        (CIPAG) ….. Sponsored by NERC
     National Rural Electric Cooperative Assoc.
     Edison Electric Institute Security Committee
     American Public Power Assoc.
     Department of Energy
     Department of Agriculture

6
    Security Guidelines
     Principles, continued:
        Each company is free to define and identify
         those facilities and functions it believes to be
         critical.

        The ability to mitigate the loss of a facility
         through redundancies, spare parts and
         detailed response and recovery plans may
         make that facility less critical.

7
    Security Guidelines
     Critical Facility defined as:
       Any facility or combination of facilities, if
          severely damaged or destroyed, would have a
          significant impact on the ability:
             1. To serve large numbers of customers
                for an extended period of time.
             2. Has a detrimental impact to the
                reliability or operability of the
                energy grid.

8
    Security Guidelines

     Critical Facility, continued:
         3. Would cause significant risk to:
           A. National security
           B. National economic security
           C. Public health and safety.




9
     Security Guidelines

      Spectrum of Threats
         Weather-related incidents (storms, floods,
          fires, earthquakes, etc.)
         Acts of vandalism
         Acts of activism
         Acts of terrorism
         Acts of an insider


10
     The Electricity Sector is a Target
      Critical support to:
        Economy
        National security
        Public well-being
      Conduit to national security or economic
       targets
      Conduit to other critical infrastructures


11
      Source: NERC
     Who is Targeting The
     Electricity Sector?
      Hackers
      Vandals
      Activists
      Criminals
      Terrorists
      Nation States
      The threat is inside and outside!
12    Source: NERC
               Spectrum of Threats
     1. What needs to be protected?

     2. Who are we protecting against?

     3. Worst Consequences + Highest Probability = Prioritized Ranking


                                                Violent Demonstration
         Activists
                                                   Bomb Threat
        Criminal            Critical             Block Access to Facility

       Psych. Impaired      Facility             Vandalism

         Terrorist                              Armed Attack

                                             Power Outage – Facility Damaged


        threat spectrum      target            Potential scenarios
13
     Who do We Need to Protect
     Against?
                            Threats

         INSIDER                      OUTSIDER
                                      Activists
         Disgruntled (ex) employee

                                      Terrorist
         Potentially violent or
         psychologically deranged
                                      Vandalism


14
          Guidelines Access

     http://www.esisac.com/library.htm

        http://www.oea.dis.anl.gov

15
       NERC

Vulnerability and Risk
    Assessment
 Vulnerability And Risk
 Assessment Guideline
 Purpose:
  Identify and prioritize critical facilities and
   impacts of loss.
  Identify countermeasures to mitigate
   vulnerabilities of critical facilities.


17
 Applicability:
  All companies should perform 5-step
     vulnerability assessment on Critical Facilities.
  Focus is on facilities meeting the threshold
     definition for “CRITICAL”.




18
 Implementation Considerations:
 Best Practices

  Use team approach – Subject matter experts
     knowledgeable of “system” (brainstorming
     session)
         Security/Facilities/Safety
         Operations, Maintenance, and Logistics
         Engineering
         I.T.

19
 Best Practices, cont.
  Employ risk assessment worksheet process
      1. Identify assets (critical facilities) and loss impact.
      2. Characterize the threat.
      3. Identify and analyze vulnerabilities
           –     Consider interdependencies.
      4. Assess risk (subjectively) and determine
         priorities.
      5. Identify countermeasures, costs and trade-offs.


20 Source: DOE
 Identify Countermeasures, Costs and
 Trade-offs      Identify
                          Critical
                          Facilities
                                                     Identify
    Identify                                           and
Countermeasures                                    Characterize
                                                     Threats



          Assess Risk             Identify and
         and Prioritize             Analyze
                                 Vulnerabilities
21   Source: DOE VRAP
  Critical Facility Risk Value Table
                    Facility            Likelihood
   Risk Value =                  x         Of           (threat x vulnerability)
                   Criticality          Occurrence

                                                                 Likelihood =
                                                                 threat x vulnerability
Critical          Critical Facilities     Criticality            Threat              Vulnerability   Risk
Facility                                  Point Value                                                Value
Category

Generator




Substation




System
Control
Center/ Office
Warehouse
Yard/Garage
 22
         NERC

Threat Response Guideline
 Threat Response Guideline

 Purpose:
  Ensures that companies provide enhanced
     security in response to threat advisories.
        Department of Homeland Security
        NERC Threat Notices (ESISAC)
        State Agencies
        DHS / IAIP
        D.O.T. (Combo Utilities)
24
 Applicability:

  Plans, policies and procedures which contribute
 to the protection of company “CRITICAL
 FACILITIES”
      NERC response guidance is consistent with the
     Homeland Security Advisory System
        - Describes elements for consideration based on
          threat levels
        - Addresses physical and cyber security threats
25
 Homeland Security Advisory
 System
 Purpose:
  Provides a comprehensive and effective
     means to disseminate information regarding
     the risk of terrorist or criminal attacks.
      Five (5) levels intended to characterize
       appropriate levels of:
        - Vigilance
        - Preparedness
        - Response
26
 Homeland Security Advisory System

                                           SEVERE
                                Severe Risk of Terrorist Attacks

                                            HIGH
                                 High Risk of Terrorist Attacks

                                           ELEVATED
                             Significant Risk of Terrorist Attacks

                                           GUARDED
                               General Risk of Terrorist Attacks

                                             LOW
                                  Low Risk of Terrorist Attacks
27   Source: Office of Homeland Security
    NERC

Physical Security
Physical Security Guideline
Purpose:
 Mitigates the threat through the implementation
     of physical security measures to:
      Safeguard Personnel
      Prevent unauthorized access to critical equipment,
       systems, materials and information at CRITICAL
       FACILITIES

Applicability:
 Critical Equipment, systems, material and
     information at CRITICAL FACILITIES.
29
Implementation Considerations:
Best Practices:
 Implement a program and plan based on a “SYSTEMS
 APPROACH” of:
   Deterrence
   Detection
   Assessment and Communications
   Delay and Response
 Implement a security awareness program for
 employees:
   Priority Number 1
   Observe and Report
30
     Best Practices, cont.:


         Aware of “The Environment”
         Heightened VIGILANCE
      Limiting access to “CRITICAL FACILITIES”
       through applied technologies
      Requesting law enforcement patrols during
       periods of heightened threat



31
     Recommendation:

      Develop a security plan reflecting changes
       in “THREAT LEVEL”
      Employ strategies of deterrence
         Lighting
         Signage
         CCTV
        Patrols

32
      Elements of Physical Security
                           Signs, Patrols, Lighting, & Fencing
                                       Deter



      Barriers,                                                 Sensors,
      Security Delay &                                   Detect Patrols, &
     Officers, & Respond                                        Door
       Police                                                   Alarms




                            Assess & Communicate
                   Cameras, & Central Alarm Station Monitoring

33
     Physical Security Goals

      Employee Safety.
      Litigation Avoidance.
      Prevention or Deterrence Against
       Intentional Disruption to the System.
      Reduction of Theft.



34
         NERC

Emergency Plans Guideline
 Emergency Plans Guideline
 Purpose:
  Ensures the company is prepared to respond to “
     Spectrum of Threats” (Physical & Cyber)
        Trespassing
        Vandalism
        Civil Disruptions
        Sabotage
        Acts of Terror
        Cyber Incidents



36
     Applicability:

     Company defined “CRITICAL
      FACILITIES”
     Focused on responding to incidents
     Priority…restoration and recovery of „THE
      SYSTEM”



37
     Implementation Considerations:
     Best Practices: “The Plan”
      Flexible
      Update Annually
      Update After an Incident
        Identify “lessons learned”
        What went right
        What can be improved
      Key Responders are identified with
      “Specific Tasks & Duties”
38
 Best Practices: “The Plan”, continued
  Designate Emergency Management Team
    Operations and Maintenance
    Communications
    Logistics
    I.T.
    Security/Facilities/Safety
  Media relations coordinator
  Annual orientation for key responders
  Annual “TABLE TOP” exercise
    Scenario driven

39
 Best Practices: “The Plan”, continued
  After actual employment of the plan or after
     “TABLE TOP” exercises
      Perform a “LESSONS LEARNED”
      Modify plan based on “LESSONS LEARNED”
  Identify an alternative reporting location for
   key responders
  Identify priorities for emergency response
      Protecting life
      Restoring services

40
     Recommendation:
      Develop the security response plan and attach as a
       separate annex to “WEATHER/STORM”
       response plan
      Assure consistency with NERC physical and cyber
       threat alert levels
      Build on experiences in protecting critical
       infrastructure
         Gulf War
         Y2K
         9-11
41
 Integrate Physical Security into the Plant‟s
 and Company‟s Overall Emergency Risk
 Management Planning & Program
The Four Phases of Emergency Risk Management
                    Mitigation



                   All Risks &
     Recovery                      Preparedness
                    Hazards



42                  Response
 Phases of Emergency Risk
 Management
1. Mitigation (long-term) Eliminate or reduce the chance of occurrence or
     the effects of a risk.

2. Preparedness (to respond) Planning how to respond in case a disaster
     occurs and how to ensure the right resources are available to respond
     effectively.

3. Response (to disaster) Planned or unplanned activities designed to
     provide emergency assistance to victims of the disaster and reduce the
     likelihood of further damage.

4. Recovery (short and long-term) Efforts to return the environment/victims
     to normal, or near normal status.

43
     Implementation Strategy (I):
      Overall, “The Plan” does not need to be detailed
       but is supported by detailed:
           System restoration plans
           I.T. recovery plans
           Life safety plans
           Business unit continuity plans
      Plan should include elements of:
         Operations
         Communications
         Facilities
         I.T.
         Financial support
      Plan exercised and updated annually
44
     Implementation Strategy (II):
      Develop a “Critical Incident Response Team”
       (C.I.R.T.)
      “Swat Team” to respond to:
         Explosions
         Fires
         Workplace Violence
      Team make-up
         H.R.
         Legal
         Communications
         Security
         Safety
         Business Unit Representative

45
     Implementation Strategy (II), cont.:
      Mission … Deal with incident until
       business unit recovery plan is implemented
      CIRT … single point-of-contact
        Emergency operations Center (E.O.C.)

      Security operations center … Focal point to
       monitor incident



46
     Implementation Strategy
     Mutual Assistance Agreements For
     Security Incidents
      Coordinated with
         Local law enforcement
         State emergency preparedness offices
      Security plan topics
         Bomb threats
         Fire/Explosions
         Chemical spills
         Facility evacuations

47
          Implementation Strategy
      Mutual Assistance Agreements For
          Security Incidents, cont.
      Recommend liaison with law enforcement
        Critical facility tours
        Information/plan exchange
        Mutual training opportunities
        Facility availability
      Attachments
        Notification telephone tree
        Critical customer information
        Equipment checklists
        Emergency equipment suppliers

48
 REPORT INCIDENTS TO:
1. LOCAL LAW ENFORCEMENT
   (Establish and maintain relationship)

2. LOCAL FBI
   (Establish and maintain relationship)

3. DHS / IAIP
   (IAW Program: use InfraGard, CIPIS, nipc.watch@fbi.gov, 202-323-
   3204,5,6, 888-585-9078)

4. Electricity Sector Information Sharing and Analysis Center
   ( CIPIS, esisac@nerc.com, 609-452-8060 [day],
     609-452-1422 [anytime] )


49 Source: NERC
       NERC

Continuity of Business
      Processes
Continuity of Business Processes
Purpose:
 Reduces the impact of interruptions to critical systems
     and ensures resumption of business and operations in a
     short time.
Applicability:
 Facilities and functions considered critical to the
     overall operation of the company.
 World Trade Center Disaster.
   Underscore need
   Many applicable “Lessons Learned”


51
Summary of Plan Differences
Business                        Crisis Management
Continuity Plan                 Plan (CMP)
(BCP)
                                 To limit intensity, manage
 To recover mission critical
  business services and           and control negative
  processes                       results of an event
                                 Many scenarios
 Limited scenarios
                                 Focus on people, products,
 Focus on technology
  facilities and/or data          services and reputation
Implementation Considerations:
“The Plan”
  Comprehensive tool with all critical functions
   having separate plans (Annexes)
  Business recovery should be basis
  Updated and Exercised Annually
  “LESSONS LEARNED” conducted after each
   exercise and incident




53
Implementation Considerations:
“The Plan”, cont.
  Prioritize restorations of functions
     Business systems (Accounts payable and receivable,
      payroll, financial transactions)
     Assure I.T. assets are available to meet “Minimal
      Level” of operations
  Identify vulnerabilities in I.T. and business
     systems



54
Implementation Considerations:
“The Plan”, cont.
  Identify alternate facilities if headquarters
     building is lost … “Essential”
      Distance from headquarters
      Controlled by company




55
Plan Reality Check
 Plan Design “worst case scenario”
    Usually one to three scenarios
 Recovery Scenarios
   Facility Losses (no access to a facility or
    related services)
   Technology Losses (no access to systems,
    equipment, information/data or services)
     Recommendation:

      Develop internally
      Contract for external assessment
      Functionally exercise a “Portion” of the
       plan
      Evaluation should be independent
          Annual Exercise
          Document Lessons Learned

57
    NERC

Communications
 Communications Guidelines
 Purpose:
  To establish effective liaison relationships with
     local offices of federal, regional, and local law
     enforcement where critical facilities are located
         To promptly report security incidents
         To develop an “INTERNAL THREAT
          WARNING” system
 Applicability:
  Applies to facilities and functions that are considered
     critical.



59
 Implementation Considerations:
 Best Practices:
   All contact telephone numbers should be placed
   in the “EMERGENCY RESPONSE PLAN”
  Staff should be trained on what is to be reported
   and to what organization (Sheriff, FBI)
  Single staff organization should make “ALL”
   external notifications
  Provide familiarization tour of critical sites to law
   enforcement agencies
      Explain “The System”
60
 Best Practices, continued:

    Key officials and responders should be issued
     “Emergency Responder” wallet cards containing
     contact information
      Sheriff‟s Department
      Local FBI
      National Infrastructure Protection Center / FBI
      Information Sharing and Analysis Center / NERC
      Company responders
      State Emergency Operations Center

61
 Best Practices, continued:

  Annually review all emergency incident response
     plans to assure:
      “Responders” are aware of plan changes
  Modify “Weather Response Plan” by adding a
     “Security Incident Annex”
      Cyber
      Physical


62
 Sample Wallet Card “Front”
              Dakota Electric Cooperative
                       Office    Home       Cell
     General Manager
     Ops Manager
     Chief Engineer
     Safety
     I.T. Manager
     System Control
     Center
63
 Sample Wallet Card “Back”
                            24x7     Administration #
                         Emergency #
 Dakota County Sheriff
 Farmington P.D.
 Burnsville P.D.
 State of MN EOC
 FBI…Minneapolis
 DHS / IAIP
 NERC / ISAC

64
 REPORT INCIDENTS TO:
1. LOCAL LAW ENFORCEMENT
   (Establish and maintain relationship)

2. LOCAL FBI
   (Establish and maintain relationship)

3. DHS / IAIP
   (IAW Program: use InfraGard, CIPIS, nipc.watch@fbi.gov, 202-323-
   3204,5,6, 888-585-9078)

4. Electricity Sector-Information Sharing and Analysis Center
   ( CIPIS, esisac@nerc.com, 609-452-8060 [day],
     609-452-1422 [anytime] )


65 Source: NERC
       NERC

Employment Background
      Screening
 Employment Background
 Screening
 Purpose:
  Contributes to mitigating the “INSIDER” threat
   by assuring only trustworthy and reliable
   personnel have unescorted access to critical
   facilities
  May prevent or deter:
        Regulatory Issues
        Negligent Hiring
        Theft
        Drug use
67
     Applicability:

      Regulated programs
        D.O.T. … Gas
        Commercial drivers license (CDL) programs

      Employees, Contractors and Vendors with
      unescorted access to company defined
      “Critical Facilities”

68
 Implementation Considerations:
 Best Practices:


  Program must adhere to all Federal and State laws
  Use a comprehensive employment application
   form
  Publish “Disqualification Criteria”
  Subcontract investigative services



69
     Recommendation:
      At a minimum, a program should consist of the
       following elements:
         Verification of Social Security Number
         Local level criminal history check (County of
          residence)
         Employment checks
         Motor vehicle license information
         Drug screen
         Verification of highest level of education or
          professional certification


70
            NERC

Protecting Potentially Sensitive
          Information
 Protecting Potentially Sensitive
 Information
 Purpose:
  Ensure that potentially sensitive information
     regarding critical infrastructure is properly
     protected




72
     Applicability:
      Information, both physical and electronic, defined
       by the company as “SENSITIVE”
         Critical infrastructure targets

         Personnel information
         Security measures
         Operational vulnerabilities
         Details on critical operating
           - Facilities
           - Systems


73
     Implementation Considerations:
     Best Practices:
      Apply “The Need-to-Know” principle on access to
       sensitive information
      Develop a policy defining the protection strategies
      Assess “The Life-Cycle” of information in your
       company (Physical and Cyber)
         Production
         Storage
         Transmission
         Destruction

74
     Recommendation:

      Question governmental organizations when
       they request “Sensitive Information”
         Assurance of confidentiality
      Designate a single person responsible for
       reviewing requests for “Sensitive
       Information”


75
     Implementation Strategy
     Protecting Sensitive Company Operating
     System Information
      Companies should ensure that there are procedures
       in place to preclude the release of sensitive
       information
      Regulatory Agencies … pursuant to their authority
         Request “confidentiality” of data be maintained
      Legitimate business enterprise
         Request a “non-disclosure agreement”
      Corporate websites and publications
         Periodically assess for sensitive information


76
     TERRORISTS WILL USE YOUR
         COMPANIES PUBLIC
        INFORMATION IN THE
           “INTELLIGENCE
      GATHERING” STAGE OF A
        TARGET ASSESSMENT!


77
   NERC

Cyber Security
 Cyber Security Guidelines
 Purpose:

  Identify, assess and mitigate cyber risks to
     computing infrastructures using five (5)
     guidelines:
     1.   Risk Management
     2.   Access Control
     3.   I.T. Firewall
     4.   Intrusion Detection
     5.   Process Controls System Security


79
                                         Triton Security Solutions, Inc.
 Applicability, cont.:

  Any company who owns information
     systems and services that support the
     electric infrastructure.




80
                                Triton Security Solutions, Inc.
     Implementation Considerations:
      Develop and implement a “CYBER/I.T.
       SECURITY PLAN” which addresses:
          Risk Management
          Access Control
          I.T. Firewalls
          Intrusion Detection
          Process Controls Systems
      Review and test plan annually.


81                                     Triton Security Solutions, Inc.
     Recommendation:

      Applicable across the entire company
        Business Operations
        System Control
        Personnel Data
      Implement business continuity plans




82                               Triton Security Solutions, Inc.
     NERC

Threat and Incident
    Reporting
 Purpose:
  Promote timely and actionable response to
     security
      Threats
      Incidents




84
 Why Report:

  Prevent or mitigate the consequences of an
   attack
  Minimize negative impact on company
        Repair costs
        Revenues
        Productivity
        Public Trust


85
 The Audience / User:

  Law Enforcement
  Government Agencies and Regulations
  ESISAC
  Reliability




86
 What Should Be Reported:

  Date, Time and Location of Incident
  Description of Incident
  Cause (If Known)
  Law Enforcement Involvement

  NERC-DHS Indications, Analysis,
     Warnings (IAW) Program
87
            NERC

   Securing Remote Access to
Electronic Control and Protection
            Systems
               What Systems?

     Those systems used to regulate
     physical processes, including but not
     limited to: electronic protective relays,
     substation automation and control
     systems, power plant control systems,
     energy management systems (EMS),
     supervisory control and data
     acquisition (SCADA), programmable
     logic controllers (PLC).
89
 Purpose:
  Realistic security
  Definition of “Remote Access”
  Recommended steps




90

				
DOCUMENT INFO
Description: Company Sponsored Cdl Training document sample