Electric Sector Failure Scenarios Common Vulnerabilities and Mitigations Mapping – Version 2.0
Electric Sector Failure Scenarios Common Vulnerabilities and Mitigations Mapping – Version 2.0 (technical lead and co-author)
This document serves as a further reference for the National Electric Sector Cybersecurity Organization Resource (NESCOR) Electric Sector Failure Scenarios and Impact Analyses version 3.0 document, which was produced by the Electric Power Research Institute (EPRI) for the U.S. Department of Energy (DOE).
Version 0.9 of the Failure Scenarios document listed the initial lists of vulnerabilities, impacts, and mitigations. The vulnerabilities and mitigations were written as unstructured English sentences. Technical Working Group 1 (TWG1) recognized that consistency of terminology and structure within these lists would have several benefits, including improving document readability and enabling analyses of the Failure Scenarios. In particular, the team wanted to identify the common vulnerabilities and common mitigations. TWG1 devised a structured form for the vulnerabilities and mitigations that would support this goal, and it used the same form for both lists: common vulnerability/mitigation followed by the vulnerability/mitigation context.
The document is structured as follows:
- Appendix A provides the grouping of common vulnerabilities into NISTIR 7628 Vulnerability Classes,
- Appendix B provides the mapping of the original vulnerabilities in Failure Scenarios version 1.0 to common vulnerabilities in version 2.0,
- Appendix C provides the grouping of common mitigations into mitigation classes called mitigation action groups, defined by TWG1, and,
- Appendix D provides the mapping of the original mitigations in Failure Scenarios version 0.9 to common mitigations in version 1.0.
Analysis of Selected Electric Sector High Risk Failure Scenarios – Version 2.0
Analysis of Selected Electric Sector High Risk Failure Scenarios – Version 2.0 (technical lead and co-author)
This document builds upon the previously published NESCOR document, “Electric Sector Failure Scenarios and Impact Analyses document and provides detailed analyses for a subset of the failure scenarios. All analyses presented include an attack tree, which details in a formal notation, the logical dependencies of conditions that allow the failure scenario to occur. Several of the analyses also provide a detailed text write up for the scenario, in addition to the attack tree. Failure scenarios in the short failure scenario document were prioritized for inclusion in the present document, based upon level of risk for the failure scenario, the priorities of NESCOR utility members, and the priorities of the generation working team.
Electric Sector Failure Scenarios and Impact Analyses – Version 3.0
Electric Sector Failure Scenarios and Impact Analyses – Version 3.0 (technical lead and co-author)
The National Electric Sector Cybersecurity Organization Resource (NESCOR) Technical Working Group 1 (TWG1) developed previous versions of this document on the topic of cyber security failure scenarios and impact analyses for the electric sector. This version includes the addition of generation failure scenarios and updates to the common mitigations and vulnerabilities analyses. The information about potential cyber security failure scenarios is intended to be useful to utilities for risk assessment, planning, procurement, training, tabletop exercises and security testing. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power. Some of the scenario descriptions include activities that typically are not allowed by policies, procedures, or technical controls. These scenarios may be used to ensure that the applicable mitigation strategies are specified and implemented.
Research conducted by EPRI for: NESCOR – a DOE funded public-private partnership | © 2015 Electric Power Research Institute, Inc. All rights reserved.
Risk Management in Practice: A Guide for the Electric Sector
Risk Management in Practice: A Guide for the Electric Sector (co-author)
This report provides guidance for risk management in practice in the electric sector. This present work builds upon the technical update, Integrating Electricity Subsector Failure Scenarios into a Risk Assessment Methodology, 3002001181 that was published in 2013; the DOE Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2); the National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security, the National Rural Electric Cooperative Association (NRECA) Guidance, and other documents.
The focus of this document is to provide guidance on applying the diverse existing cyber security guidance that is applicable to the electric sector. The goal of this document is to provide a framework and comparative analyses of existing guidance that may be used by cyber security practitioners in addressing cyber security.
This document was developed jointly by several organizations, including EPRI, DOE, NRECA, Carnegie Mellon University, and several utilities. This document is a companion document to the EPRI technical update, Security Posture Using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), Technical Update 3002003332, also published in 2014.
Cyber Security Risk Management in Practice: Comparative Analyses Tables
Cyber Security Risk Management in Practice: Comparative Analyses Tables (co-author)
Utilities are assessing various federal guidelines that are applicable to cyber security for the electric sector—a significant task requiring all new guidance. This report is a companion document to EPRI technical update 3002003333, Risk Management in Practice—A Guide for the Electric Sector, and EPRI technical update 3002003332, Security Posture Using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The focus of this technical update is to provide guidance on the various cyber security regulations, guidelines, and specifications that may be applicable to the electric sector. This update is not intended to provide new guidance but rather to present information on how to navigate and relate the diverse existing guidance that is applicable to the electric sector. To this end, several additional comparative analyses tables referenced in the other two documents will serve as a roadmap for utilities to use in understanding and applying the cyber security guidance. Information in the various tables will also help utilities implement their own cyber security programs and perform cyber security risk management activities, including risk and maturity assessments.
Security Posture using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
Security Posture using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (co-author)
This report provides guidance for performing a capability maturity model assessment using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Currently, the ES-C2M2 is intended for application at the organization level. This document includes application guidance that may be used by utilities to apply the ES-C2M2 to systems. This technical update addresses all ten domains in the ES-C2M2, and allocates the National Institute of Standards and Technology Interagency Report (NISTIR) 7628 security requirements to objectives and maturity indicator levels (MILs) within each of the ten domains. The results of the system assessment may be used to determine the security posture of utility systems.
Guidelines for Leveraging NESCOR Failure Scenarios in Cyber Security Tabletop Exercises
Guidelines for Leveraging NESCOR Failure Scenarios in Cyber Security Tabletop Exercises (co-author)
This document provides exercise facilitators with guidance concerning procedures and responsibilities for exercise development, facilitation, simulation, and support. It explains the exercise concept as it relates to facilitators, establishes the basis for facilitation and simulation of the exercise, and establishes and defines the communications, logistics, and administrative structure needed to support facilitation and simulation during the exercise. This document includes a National Electric Sector Cybersecurity Organization Resource (NESCOR) failure scenario and explains how to expand this scenario for use in a cyber security tabletop exercise.
National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security
National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security (technical lead for the initiative and co-author)
This three-volume report presents a framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of smart grid stakeholders can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization’s cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify.
National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5, Security and Privacy Controls for Information Systems and Organizations
National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5, Security and Privacy Controls for Information Systems and Organizations (one of the original authors)
This publication provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks. The controls address diverse requirements derived from mission and business needs, laws, Executive Orders, directives, regulations, policies, standards, and guidelines.
The publication describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions and business functions, technologies, environments of operation, and sector-specific applications. Finally, the consolidated catalog of controls addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms) and an assurance perspective (i.e., the measure of confidence in the security or privacy capability). Addressing both functionality and assurance ensures that information technology products and the information systems that rely on those products are sufficiently trustworthy.
Cybersecurity Procurement Language for Energy Delivery Systems
Cybersecurity Procurement Language for Energy Delivery Systems (co-author)
This document provides baseline cybersecurity procurement language that is the consensus opinion of the document authors and was guided by input from voluntary reviewers representing the Acquirer, Integrator, and Supplier communities. It focuses on the cybersecurity of energy delivery systems (i.e., control systems) and does not attempt to specify or replace cybersecurity-based procurement language for acquisitions involving IT. Considerations for IT cybersecurity are outlined in many standards and guidance documents (e.g., the NIST 800 series of publications). Users of this document have the responsibility of ensuring that actions taken during the procurement process comply with current standards and regulations. In addition to the language included in this document, acquired products and services should conform to the applicable IT security standards and operations technology (OT) standards for energy delivery systems.
This document is designed to provide baseline cybersecurity procurement language for the following:
- Individual components of energy delivery systems (e.g., programmable logic controllers, digital relays, or remote terminal units).
- Individual energy delivery systems (e.g., a SCADA system, EMS, or DCS).
- Assembled or networked energy delivery systems (e.g., an electrical substation [transmission and distribution] or a natural gas pumping station).