Professional Documents
Culture Documents
WORKING GROUP
D2.38
SEPTEMBER 2017
FRAMEWORK FOR EPU OPERATORS
TO MANAGE THE RESPONSE TO A
CYBER-INITIATED THREAT TO THEIR
CRITICAL INFRASTRUCTURE
WG D2.38
Members
D. HOLSTEIN, Convenor US T.W. CEASE, Secretary US
C. NEWTON US S. BUSCHI IT
A. STEFANNI IT J. WEISS US
F. HOHLBAUM CH C. POIRIER-GALMICHE FR
K. PANYIM TY P. SEDTHEETHORN TY
V. TAN AU D. BORDEA RO
J.P. MENNELLA FR T. WLODARCZYK PL
A. KOZAKIEWICZ PL M. FAUCHON CA
V. DISTEKRATH DE J. WACK US
M. RAAUM NO
Corresponding Members
Copyright © 2017
“All rights to this Technical Brochure are retained by CIGRE. It is strictly prohibited to reproduce or provide this publication in
any form or by any means to any third party. Only CIGRE Collective Members companies are allowed to store their copy on
their internal intranet or other company network provided access is restricted to their own employees. No part of this
publication may be reproduced or utilized without permission from CIGRE”.
Disclaimer notice
“CIGRE gives no warranty or assurance about the contents of this publication, nor does it accept any responsibility, as to the
accuracy or exhaustiveness of the information. All implied warranties and conditions are excluded to the maximum extent
permitted by law”.
WG XX.XXpany network provided access is restricted to their own employees. No part of this publication may be
reproduced or utilized without permission from CIGRE”.
EXECUTIVE SUMMARY
INTRODUCTION
WG D2.38 built this technical brochure leveraging the extensive research by others – 67 references are
included in the bibliography and cited in the main body text and annexes of the brochure. Working group
subject matter experts then tailored the findings of thiss research for EPU applications.
The National Institute of Standards and Technology (NIST) published the “Preliminary
Cybersecurity Framework 1” October 29, 2013. NIST’s framework is compri sed of a Core, a Profile,
and Information Tiers. The Core contains standards and best practices that are common across all
sectors and industries. Reed Smith published an interesting article “NIST Cybersecurity Framework:
Is it going off the rails.” Smith’s article reached the following conclusions that reinforce the need
for this technical brochure.
1) The standards divide into five functions: Identify, Protect, Detect, Respond and Recover,
which are generally consistent with industry and international inform ation standards such as
ISO 27001.
2) The Profile section intends to be a tool for a company [EPU] to map its “Current” alignment
with the standards against a “Target” profile that will address identified cybersecurity risk.
3) The framework provides the concept of a profile but does not specify the templates for
creating one.
Thus, a tool set must provide the capability to receive, store, model, retrieve, and send cyberspace
information to all system components. Implementation of the tools must have the capability to receive
real-time information from various network components and operation overlay sources.
Such an automated response is needed to provide sufficient oversight information to manage the
response and recovery. Visualization of the situation and clar ity of response options is critical.
In response to a cyber-initiated attack, Lockheed Martin developed the concept “cyber kill chain”
to describe seven phases of an attack: 1) Reconnaissance, 2) Weaponization, 3) Delivery, 4)
Exploitation, 5) Installation, 6) Command and control (C2), and 7) Actions on objectives.
The working group responsible for this technical brochure understood the need for the framework
to adapt easily to new requirements that evolve from local laws and regulations, changes in the
threat environment, and improvements in CERT process for information sharing and
responsiveness. This is a tall order, so this working group’s vision was to establish a few high -
priority specifications for the framework. Work by others will continue to build on the basic
framework so that future CIGRE working groups can issue updates to this technical brochure.
1 Improving Critical Infrastructure Cybersecurity – U.S. Executive Order 13636, issued February 12, 2013.
3
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Based on feedback from the global survey patch management and ICS-CERT response applications
are the highest priority, and therefore are the topics in this technic al brochure.
9) Maintain an up-to-date list of all critical EPU assets, configurations, and settings. Most
importantly, the interaction between automated IED initiated a ctions should be well
documented and be up-to-date.
10) EPU employees and support contractors should be periodically briefed on security threats,
security policies, procedures and organizational directives to maintain a heighted awareness
to the security situation. All such briefings should require a signature by the participants
4
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
indicating they understand the security issues and their individual responsibility to comply
with EPU security directives and local laws and regulations.
Security leaders can improve targeted attack detection capabilities using their security information
and event management tools, but it requires investments in expertise processes, and
complementary technologies.
11) Invest in the necessary expertise to define and implement continuous tu ning and operation
of the security information and event management (SIEM) and analysis tools, in “hunger
investigators” to proactively identify compromises.
12) Use forward-leaning technologies, like user and entity behavior analytics (UEBA), and
advanced threat defense solutions like end point detection and response (EDR) and network
traffic analyzer (NTA) to extend SIEM capabilities to detect advanced threats.
13) Monitoring to detect targeted attacks requires a balance of active SIEM administration and
tuning, visibility beyond security operations people and tools, and investment in
complementary detection technologies, and mature processes that cut across the IT and OT
organizations.
Managed by central management console, the data loss prevention (DLP) suite should provide the
visibility and control of critical assets over EPU segmented networks, endpoint, and off-premise.
Discovery and classification of EPU sensitive data stored in locally controlled systems is critical. The
following modules provide these capabilities.
Gateway inspector: Each EPU network segment should include a DLP gateway that monitors and
enforces DLP policy based on controls such as block, quarantine, route to encryption gateway, audit and
log, pass, alert and notify, severity block and severity quarantine, and redact over the network segment
covering all channels and ports on all protocols.
Endpoint protector: An agent that monitors and enforces automated DLP policy based controls for
data-in-motion to all endpoint and removable media. Controls such as block, encrypt, audit and log,
notify and alert on violations of confidentiality data, integrity data, and application data.
eDiscovery: An agent that discovers, classifies and remediates confidentiality data, integrity data and
application data stored in locally controlled repositories, file shares, etc. Remediation includes the
capability to “copy to”, “move to”, “delete”, or enforce digital rights management (DRM) policy in real
time.
Digital rights management: An agent that enforces automated DLP policy based controls for data-in-
use by controlling the entity (human or machine) that can access a file, where they can access the file,
and when or where the can be accessed.
EPU cybersecurity protection policies, procedures, and organizational directives should include any
function or location serving the edge (logical or physical) of their network. The edge includes
remote access virtual private network (VPN) and unmanned remote sites. Hence, the posture
validation of the devices accessing these edges of the network should be a requirement.
At the perimeter of each EPU network segment, reduce the threat footprint by blocking a wide
range of unwanted applications and then inspecting the allowed applications for threats – both
known and unknown. Key perimeter protection for t he next-generation firewall includes the
following enablement requirements 2.
2 Contributions from Palo Alto Networks (www.paloaltonetorks.com) were used to develop the tool suite for perimeter
defense.
5
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Identify applications, not ports: Classify traffic, as soon as it arrives at the firewall, to
determine the application identity, irrespective of protocol, encryption or evasive t actic. Use
that identity as the basis for all EPU security policies.
Tie application usage to user identity, not IP address, regardless of location or device:
Employ user and group information from EPU managed directories or approved third -party
directories to deploy consistent enabling policies for all users, regardless of location or device.
Protect against all threats – both known and unknown: Prevent known vulnerability exploits,
malware, spyware, malicious uniform resource locators (URLs) while analysing traffic for
tunnelled traffic and automatically delivering protection against highly targeted and previously
known malware.
Simplify policy management: Enable EPU applications and reduce administrative efforts with easy-to-
use graphical tools, a unified policy editor, templates, and device groups.
Cyber threats can easily bypass a port-based firewall by hopping ports using SSL and SSH sneaking
across port 80, or by using non-standard ports. Port-based firewall vulnerabilities are discussed in
Annex D. Products such as AppID™ 3 address the traffic classification visibility limitations of
traditional firewalls by applying multiple classification mechanisms to the traffic stream to
determine the exact identity of the application traversing the EPU network seg ment. Unidentified
applications, typically a small percentage of traffic, yet high in potential risk, should for systematic
management based on control and inspection, threat forensics, etc. automatically be categorized.
Common threat evasion tactics such as port-hopping and tunnelling should be addressed by
executing approved EPU threat prevention policies using the application and protocol context
generated by decoders. EPU procurement should compare tool suites offered by the vendors to
evaluate how well their solution provides the following security capabilities.
Block known threats (IPS and network antivirus/anti-spyware: The capability to use a
uniform signature format and a stream-based scanning engine to enable the EPU to protect
the network segment from a broad range of threats.
14) Intrusion prevention system features block network and application -layer vulnerability
exploits, buffer overflows, denial of service (DoS) attacks, and port scans.
15) Antivirus/anti-spyware protection blocks malware variants, malware-generated command and
control traffic, PDF viruses, and malware hidden within compressed files or web traffic.
16) Policy-based SSL decryption across any application on any port protects against malware
moving across SSL encrypted applications.
Block unknown, targeted malware: The capability to identify and analyze unknown or targeted
malware, which directly executes and observes unknown files in a cloud -based, virtualized
environment.
Identify bot-infected hosts: The capability to classify all applications, across all ports, including
any unknown traffic to expose anomalies or threats to the EPU network or network segment.
17) The behavioral botnet report should correlate unknown traffic, suspicious DNS and URL
queries and a variety of unusual network behaviors to reveal devices that malware can likely
infect.
18) Display the results in the form of a list of potentially infected hosts to investigate possible
members of a botnet.
3 App-ID™, a patent-pending traffic classification system is only available in Palo Alto Networks firewalls. App -ID™
instantly applies multiple classification mechanisms to your network traffic stream, as soon as the device sees it, to
identify accurately applications.
6
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Limit unauthorized file and data transfers: The capability to filter data based on EPU security
policies that will reduce the risks associated with unauthorized file and data transfers.
19) File transfers should be controlled by looking inside the file (as opposed to looking only at
the file extension), to determine if the transfer act ion should be allowed or not.
20) Unless sent from a well-authenticated and trusted source, executable files, typically found in
downloads from remote configuration tools to upgrade protection relays, can be blocked,
thereby protecting EPU networks and network segments from unseen malware propagation.
21) Enable data filters to detect and control the flow of sensitive data within the EPU network
and network segments. IEC 62443 offers guidelines to restrict such data flows in a federated
and segmented architecture.
Control web or cloud surfing: The capability to customize the filtering engine to apply EPU granular
browsing policies requires integration with the vendor’s tool suite.
The purpose of application whitelisting is to protect the host environment and applications from
unauthorized code (malware-based injection, remote-execution), thereby compromising the host
environment.
According to the US National Security Agency (NSA), application whitelisting is not a replacement
for traditional security software, such as antivirus and host firewalls(Agency). Using whitelists is
one layer in a defense-in-depth strategy. Table 4-1 shows the advantages and disadvantage listed
by NSA.
Advantages Disadvantages
Blocks most current malware Requires performance overhead to enforce the whitelist
(varies greatly depending on implementation)
Prevents use of unauthorized applications Requires regular maintenance of the whitelist to add
new applications and remove ones that are no longer
approved
Does not require daily definition updates Causes some users to be annoyed because they cannot
download and run applications at will
Requires administrator installation and approval of new Requires additional time and manpower to maintain.
applications
Whitelisting provides a dramatic improvement in the level of visibility into files being introduced
into an environment. This can be extremely helpful for incident responders. To reduce significantly
the risk of today’s malware organizations [EPUs] can use the technology. This helps reduce the
likelihood of system compromise and reduces cost of staff to deal with malware related issues.
Considering the nature of application whitelisting, it is most useful in static environments, i.e. where there
is a very low rate of change, resulting in a reduced operational overhead in maintaining a valid whitelist.
These include systems that are updated less frequently (where availability is of the utmost priority),
undergoes fewer configuration changes and have little need to install additional software after
commissioning. Examples of such systems include SCADA servers, HMIs and Engineering Workstations.
IN CONCLUSION
This technical brochure offer an indepth view of the issues, benefits and concerns of proposed solutions
that should be considered by EPU security teams. These views focus on people, processes and
technologies that should be reflected in EPU security policies, procedures and organizational directives.
7
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
8
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
TABLE OF CONTENT
EXECUTIVE SUMMARY ................................................................................................................................ 3
INTRODUCTION ....................................................................................................................................................................................... 3
SUMMARY OF FINDINGS AND RECOMMENDATIONS .................................................................................................................. 4
IN CONCLUSION ..................................................................................................................................................................................... 7
1. SCOPE ............................................................................................................................................. 13
2. INTRODUCTION ............................................................................................................................ 14
2.1 BACKGROUND ........................................................................................................................................................................ 14
2.2 CRITICAL INFRASTRUCTURE DEPENDS ON THE USER AND SITUATION .................................................................... 15
2.2.1 The impact of European regulations .......................................................................................................................... 15
2.2.2 Leverage the NERC CIP definitions ............................................................................................................................ 16
2.2.3 OECD’s characterization of criticality ....................................................................................................................... 16
2.2.4 Classification method and key measures enforced by law .................................................................................. 17
2.3 STRONG PERIMETER DEFENSE SOLUTIONS ..................................................................................................................... 18
2.3.1 An example unidirectional architecture .................................................................................................................... 18
2.3.2 Advanced persistent threats on perimeter defense ............................................................................................... 19
2.3.3 How effective are unidirectional gateways? ........................................................................................................... 20
2.3.4 Protection against high networks ................................................................................................................................ 20
2.3.5 TCP/IP protocols ............................................................................................................................................................ 20
2.3.6 Clarification of 2.3.3 item 3) ...................................................................................................................................... 21
2.4 FOCUS ON THE INSIDER THREAT........................................................................................................................................ 21
2.4.1 Scenario assumptions .................................................................................................................................................... 21
2.4.2 High-level SysML collaboration model ..................................................................................................................... 22
2.4.3 Threat collaboration ...................................................................................................................................................... 23
2.4.4 Log action and security manager 24/7 data exploitation .................................................................................. 24
2.5 THE NEED TO ENFORCE SECURITY ROBUSTNESS ........................................................................................................... 24
2.5.1 Translating security robustness .................................................................................................................................... 24
2.5.2 Perimeter defense enables security robustness ....................................................................................................... 25
2.6 THE NEED FOR PLUG AND PLAY......................................................................................................................................... 25
2.7 NOTIONAL EPU CRITICAL INFRASTRUCTURE ARCHITECTURES .................................................................................... 25
2.8 CLOUD COMPUTING IS AN EVOLVING PARADIGM .................................................................................................... 26
2.8.1 The NIST framework ...................................................................................................................................................... 26
2.8.2 Shared responsibility and accountability ................................................................................................................. 26
9
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
8. BIBLIOGRAPHY .............................................................................................................................. 47
10
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
11
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
G.3.4.1 Smart Grid motivation for using cloud computing services .............................................................................. 92
G.3.4.2 Leveraging the cloud-based services for data protection ............................................................................... 93
G3.5 Potential use of cloud computing ................................................................................................................................ 93
G.4 RECOMMENDED SECURITY GUIDELINES FOR EPU USE OF CLOUD COMPUTING ................................................. 94
G.4.1 Common security recommendations ........................................................................................................................... 94
G.4.2 Security recommendation for the use of deployment models .............................................................................. 94
G.4.3 Security recommendations for the use of service models ...................................................................................... 94
TABLE OF TABLES
Table 1 Advantages and disadvantages of application whitelisting ..........................................................7
Table 4-1 Advantages and disadvantages of application whitelisting ..................................................... 33
Table B-1 Cyber threat capability survey questions .............................................................................. 59
Table B-2 Survey response summary .................................................................................................. 62
TABLE OF FIGURES
Figure 1 Unidirectional reference architecture ................................................................................ 19
Figure 2 Trusted on-site technician ............................................................................................... 21
Figure 3 Threat collaboration model .............................................................................................. 23
Figure 4 Example Whitelisting Actions by Windows AppLocker Integrated into a monitoring solution . 34
Figure 5 Incident handling module ................................................................................................ 40
Figure 6 Model-Based Predictive Classification Concept: Incoming data processed to infer observations41
Figure 7 Typical coordinated disclosure process ............................................................................. 42
Figure 8 Emergency coordination and crisis management ............................................................... 43
Figure 9 EPRI’s high-level ISOC architecture .................................................................................. 44
Figure 10 Key technologies used at different layers in an ISOC ....................................................... 45
Figure 11 Effect of Insider incidents on system downtime ............................................................... 68
Figure 12 Security level reduction ................................................................................................. 70
Figure 13 Firewall operations and data flow ................................................................................... 73
Figure 14 EPU generating station system model ............................................................................. 83
Figure 15 - Security policy framework (66) .................................................................................... 95
12
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
1. SCOPE
This technical brochure describes a framework for a tool set that electric power utility (EPU)
operators can use to automate their response to cyber -initiated threats. Within this framework, a
priority is placed on the capability for EPU personnel and supporting e xpert contractors
(consultants, vendors, etc.) to create, model, simulate, and control the response to a cyber -
initiated threat. The three pillars of model-based system engineering (MBSE) are tailored for EPU
applications to establish a coherent framework (1).
Pillar #1: A formal modelling language to establish a standardized basis for communication and
collaboration. This technical brochure uses system dynamic language (SDL), business process
model notation (BPMN), and system modelling language (SySML) to define the grammar and a set
of rules that determines whether a given model is well-formed or ill-formed.
Pillar #2: A well-defined modelling method to create the model. This technical brochure uses an
object-oriented engineering method described by Friedenthal (2).
This is sometimes referred to as INCOSE’s object-oriented system engineering method (OOSEM).
Pillar #3: An integrated modelling tool that provides the capability to create different views of the
problem domain under consideration. This technical brochure uses several commercial tools:
VENSIM PLE for SDL based models, Cameo systems modeler by No Magic, and VISIO for simple
flat views of a selected process.
13
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
2. INTRODUCTION
2.1 BACKGROUND
Cyberspace is the collection of computer networks comprised of wired and wireless connections,
a multitude of protocols, and devices ranging from host machines to intelligent electronic devices
(IEDs). The response to the questions in the global survey ( 0) clearly shows that EPU operators
do not have sufficient tools to respond to a serious cyber -initiated threat to their critical
infrastructures.
The National Institute of Standards and Technology (NIST) published the “Preliminary
Cybersecurity Framework 4” October 29, 2013 (3). NIST’s framework is comprised of a Core, a
Profile, and Information Tiers. The Core contains standards and be st practices that are common
across all sectors and industries. Reed Smith published an interesting article “NIST Cybersecurity
Framework: Is it going off the rails (4).” Smith’s article reached the following conclusions that
reinforce the need for this technical brochure.
1) The standards divide into five functions: Identify, Protect, Detect, Respond and Recover,
which are generally consistent with industry and international information standards such as
ISO 27001.
2) The Profile section intends to be a tool for a company [EPU] to map its “Current” alignment
with the standards against a “Target” profile that will address identified cybersecurity risk.
3) The framework provides the concept of a profile but does not specify the templates f or
creating one.
Thus, a tool set must provide the capability to receive, store, model, retrieve, and send cyberspace
information to all system components. Implementation of the tools must have the capability to
receive real-time information from various network components and operation overlay sources.
Such an automated response is needed to provide sufficient oversight information to manage the
response and recovery. Visualization of the situation and clarity of response options is critical.
In response to a cyber-initiated attack, Lockheed Martin developed the concept “cyber kill chain”
to describe seven phases of an attack.
1) Reconnaissance
2) Weaponization
3) Delivery
4) Exploitation
5) Installation
6) Command and control (C2)
7) Actions on objectives
In the paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary
Campaigns and Intrusion Kill Chains,” Hutchins, Cloppert, and Amin describe the kill chain in detail
and provide a course of action matrix with recommended defensive measures f or each phase (5).
If an attack is successful their approach can be used by the EPU response team both for forensic
and analysis because the needed data, or artefacts of the attack, should be found in each of the
seven steps. For a defense mechanism, the mitigation can be implemented at any phase of the
4 Improving Critical Infrastructure Cybersecurity – U.S. Executive Order 13636, issued February 12, 2013.
14
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
chain because once that phase of the chain is protected the adversary hast to restart the attack.
A defense-in-depth strategy should implement mitigation at several stages of the chain.
The working group responsible for this technical brochure understood the need for the framework
to adapt easily to new requirements that evolve from local laws and regulations, changes in the
threat environment, and improvements in CERT process for information sharing and
responsiveness. This is a tall order, so this working group’s vision was to establish a few high -
priority specifications for the framework. Work by others will continue to build on the basic
framework so that future CIGRE working groups can issue updates to this technical brochure.
Based on feedback from the global survey (see 0) the following applications are the highest priority,
and therefore are the topics in this technical brochure.
1) Patch management
2) ICS-CERT response
From this point of view, there is a fundamental difference between a public communications
infrastructure and one that is serving an EPU. A public communications infrastructure (e.g.
television or phone company network) can be analysed by its individual criticality perspective,
starting with its client count, offered services, fin ancial gains, financial and image losses in case
of service unavailability.
IT&C infrastructures that serve an EPU can only be evaluated and correlated with the entity they
serve, taking into consideration two factors:
1) EPU criticality;
2) How the EPU’s functionality depends on the availability of IT&C services.
Regarding the definition of critical infrastructures, there are a number of regulations on a European
level (On the 7th of February 2013, the European Commission released the Cybernetic Security
Strategy for the EU, and within it they proposed a directive regarding the needed measures to
assure the same level of security within the EU computer networks; the critical infrastructures
operators obligations for certain activity areas: finances, services, tra nsport, energy and
healthcare, IT services providers and public administrations; These operators need to implement
security measures accord with the services they provide). These regulations are transposed in the
EU member’s legislation (e.g. In Romania, one such law exists – HG 1198/2012 (6), regarding the
acknowledgement of national critical infrastructures and it is called “Romania’s Cybernetics
Security law”.
A review of current national rules and practices relating to risk preparedness in security of
electricity supply was published by the European Commission (7). The analysis of current national
rules and practices was primarily based on the twenty-eight national Country Reports, which were
drafted by (legal) experts based on their in-depth desk research and on stakeholder responses
received. Stakeholder engagement was achieved in all twenty -eight Member States, which is
reflected in the completeness of the reports and the study. The availability to share relevant
documents or information that the study team was not able to obtain through desk research,
15
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
varied across the Member States; when these data could not be shared, this was mainly due to
the confidentiality of the information.
Research shows a fragmented and diverse framework in relation to national risk preparedness
plans, measures and obligations concerning security of electricity supply. In general, it can be said
that all Member States consider risk preparedness consideratio ns. However, only ten Member
States set clear obligations to draw up risk preparedness plans. Eighteen other countries do not
have such an obligation, but take risk preparedness considerations into account in reports, plans
or measures. There is no specific obligation to submit a risk preparedness plan in the Electricity
Directive (2009/72/EC) and in the Security of Supply Directive (2005/89/EC), which partly explains
the fragmented framework of preparedness plans and measures.
There is no need to go into the methodology by which critical infrastructure are chosen since it
has it’s on own particularities in each member state. In general, it concerns possible material
damage, loss of human life, the losses that could affect a community or even other countri es.
By applying these criteria, we will obtain various levels of criticality for different EPU (whether we
are talking about system operators, producers – thermal, nuclear, hydro, wind, sun or biomass).
These classifications will depend on other factors su ch as the EPU’s own organising (whether they
separate the production, the distribution and the system operator activities or not) or the EPU’s
size.
To conclude, every analysis needs to start with different scenarios regarding the EPU being unable
to function and with the consequences of these dysfunctionalities.
The second phase of this analysis is related to the impact that the IT systems have on these
dysfunctionalities, using the following criteria:
This reference is divided into two sections, and each section is organized in alphabetical order.
The first section identifies all terms that have been adopted by the NERC Board of Trustees for
use in continent-wide standards; the second section identifies all terms that have been adopted
by the NERC Board of Trustees for use in regional standards. (WECC, NPCC and RF are the only
Regions that have definitions approved by the NERC Board of Trustees. If other Regions develop
definitions for approved Regional Standards using a NERC -approved standards development
process, those definitions will be added to the Regional Definitions section of this glossary.)
16
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
some countries (9). This paper reviews the role of investment policies in broader national
strategies for protecting critical infrastructure. The k ey findings are:
1) Many countries have national plans or strategies for protecting critical infrastructure. These
strategies generally define “critical infrastructure” as physical or intangible assets whose
destruction or disruption would seriously undermin e public safety, social order and the
fulfilment of key government responsibilities. Such damage would generally be catastrophic
and far-reaching. Sources of critical infrastructure risk could be natural (e.g. earthquakes or
floods) or man-made (e.g. terrorism, sabotage).
2) The national strategies studied generally adopt a risk management approach to critical
infrastructure protection. This approach helps governments to identify key security assets,
assess risks and establish strategies and priorities for mi tigating these risks. Generally, the
risk management strategy involves measures to be taken in the following areas: prevention,
preparedness, response and recovery. The plans seek to improve coordination among
relevant agencies and with private sector operators of critical infrastructure facilities in order
to manage risks associated with critical infrastructure.
3) Information provided by notifications made under the OECD National Treatment Instrument
shows that all adhering countries have one or more invest ment measures that address
infrastructure. These are of three types: 1) blanket restrictions; 2) sectoral licensing or
contracting; 3) trans-sectoral measures such as investment review procedures. For some
countries, these discriminatory investment policie s are extremely limited in scope (e.g. they
concern cabotage or investments in vessels flying the national flag), whereas for others the
sectoral coverage of restrictive policies is broad.
4) The critical infrastructure policies reviewed here attempt to coord inate the role of private
operators of such infrastructure - be they domestic or foreign - in broader national efforts to
protect critical infrastructure. However, the role assigned to investment policies in critical
infrastructure protection varies. Many countries perceive the value added by investment
policy measures, relative to other policies (e.g. defense, law enforcement, sectoral), as
negligible and accordingly assign little or no role to investment policy. Others note that,
while their critical infrastructure protection policy adopts a broad approach to risk,
investment policy is used to address only a narrow range of these risks - those related to
national security - and only as a measure of last resort, i.e. only if other, less restrictive and
non-discriminatory, measures cannot adequately mitigate the identified risks.
2.2.4 Classification method and key measures enforced by law
The French Network and Information Security Agency published its description of classification
methods and key measures for industrial control systems (10). These documents will be used to
define the methods for applying the measures set out within the framework of French Law No.
2013-1168 of 18 December 2013, known as the Military programming law. The objective is to
subject all new critical ICSs to an approval process, thus ensuring that their cybersecurity level is
acceptable given the current threat status and its potential developments.
Cybersecurity levels are defined in terms of consequences for the Nation, rather than
consequences for responsible entities. Each class systematically includes the measures of the class
below it. Below is a brief description of the three cybersecurity classes for ICSs.
17
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Class 1: ICSs for which the risk or impact of an attack is low. The measures recommended for
this class must be able to be applied in complete autonomy. This class mainly corresponds to rules
provided in the ANSSI Healthy Network Guide.
Class 2: ICSs for which the risk or impact of an attack is significant. There is no state control over
this class of ICS, but in the event of inspection or incident, the responsible entity must be able to
provide evidence that adequate measures have been implemented.
Class 3: ICSs for which the risk or impact of an attack is critical. In this class, the obligations are
heightened and the conformity of ICSs is verified by the state authority or an accredited body.
All functional or technical modifications to ICSs must trigger a review of the cybersec urity level.
Indeed, such modifications may have repercussions on the class that was previously estimated.
2.2.4.2 Measures
An infrastructure with dedicated resources leased from a telecommunications operator (such as a
MPLS network) is not considered a public network when resources are logically partitioned from
other traffic and the operator provides service guarantees. This type of solution does not
necessarily guarantee data stream confidentiality or integrity and does not in any case exempt the
responsible entity from implementing appropriate measures (such as a VPN) to ensure the
authenticity, integrity and confidentiality of data streams.
The deployment of means of detection also implies the implemen tation of centralisation tools and
analysis tools to process the collected events. To avoid the proliferation of procedures,
cybersecurity approval can be integrated into the approval procedures that already exist in certain
sectors.
5 Readers interested in unidirectional gateway technology are directed to (11) L. Frenkel, D. Berko, and A. Ginter,
"Experience with Unidirectional Security Gateways Protecting Industrial Control Syst ems," ed: CRITIS, 2012.
18
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Generation Remote
Vendor Dispatch Access Attack!
Firewall Firewall
Internet /
Telecomms Backbone
VPN VPN VPN
VPN Svr VPN Svr Corporate Firewall
Unidirectional Gateway
Protection Layer
ADC
EPU
OT Network
Unit Firewall
Generating Unit
Control Network
Unidirectional Gateway
Protection Layer
Protective Safety
Relays Sytems
Ginter noted that “the architecture recognized that every computer, device or machine that
exchanges messages with the Internet is potentially compromised and therefore is untrustworthy
and every machine exchanging messages with an untrustworthy machine is similarly untrustworthy.
These networks are protected by unidirectional gateway technologies, whose stronger -than-
firewalls protection eliminate the threat of network attacks from untrusted networks, and eliminate
external network-connectivity cyber risks to protected, reliability-critical networks.”
6 Ginter, et al. summarized the threats from the MacAfee Night Dragon and Shady RAT reports, and the Mandiant APT1
report.
19
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
3) Evade anti-virus (AV) systems with custom malware deployed in volumes too low to trigger
AV signature creation,
4) Use professionals to operate sophisticated malware by interactive remote control,
5) Gather passwords and password hashes,
6) Create administrative accounts on domain controllers and remote access systems, and then
7) Log in to those accounts like any other user, and proceed to mis -operate control system
equipment.
2.3.3 How effective are unidirectional gateways?
Okhravi and Sheldon and others raised three issues regarding the effectiveness of unidirectional
gateways (15).
7 High networks are enterprise networks and low networks are process control networks.
20
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
For example, unidirectional gateway software on the source network might connect to a rela tional
database and request to be notified by the database whenever data in the database changes.
When a change is signalled, the gateway software could query for the new data, and transmit the
data through the unidirectional hardware. On the receiving net work, unidirectional gateway
software would then insert the data into another relational database, thereby maintaining a faithful
replica of the source database on the destination network. Clients on the destination network that
require access to industrial data can then query the replica database and receive the same answer
as they would have received, had they been able to query the protected industrial database.
Similarly, unidirectional gateway software on the industrial network might periodically poll an
industrial device, such as a Modbus PLC. Periodic snapshots of PLC data can then be sent through
the unidirectional hardware to the destination network. Unidirectional gateway software on that
network emulates the original PLC, responding to Modbus requ ests from applications on the
destination network. For example, a historian database on the destination network might issue
such Modbus requests to the unidirectional gateway’s replicas of industrial Modbus devices, and
so populate the database with industrial data, without ever having the ability to issue a poll request
to the source Modbus devices.
In short, data diodes are unable to sustain true query/response TCP connections. Unidirectional
gateways do not need to sustain such connections through unidir ectional hardware. Instead, the
gateway software queries industrial systems on the source network, and replicates industrial
servers or emulates industrial devices to the destination network.
In this example, the ICCP server of the dispatch centre’s Energy Management System (EMS) is
emulated to the power plant, and the power plant’s Distributed Control System’s (DCS) ICCP
server is emulated to the dispatch centre. The real DCS polls the EMS ICCP replica, and the real
EMS polls the DCS ICCP replica. At no time are ICCP polls or commands forwarded from one
network to another, or responses forwarded back. Each replication is independent of the other.
In general, and unlike firewalls, unidirectional gateways do not forward network traffic from one
network to another. The gateways are endpoints of TCP and other connections on each network.
Connections on each network are independent of each other. This ma kes it very difficult for
malware on one network to reach out to a command and control centre in or beyond another
network, much more difficult than is the case with firewalled network connections that route traffic
from one network to another.
21
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Although not directly applicable to cybersecurity, the insider threat as demonstrated by the German
Wings aircraft crash on March 24, 2015 is real and should be taken seriously.
WG D2.38 narrowed their focus of the cyber-induced threat to attacks executed by insiders. We
assumed that insiders had detailed knowledge of EPU operations, protection and control (P&C)
system settings, and authorized cyber-access to mission critical communication nodes and to P&C
intelligent electronic devices (IEDs). Furthermore, D2.38 assumed that sufficient collaboration with
compromised EPU employees and contractors occurred to effectively plan, practice, and to execute
the attack.
Trusted employees and contractors are typically on-site to perform various configuration and
maintenance tasks. Figure 2 shows a direct connection between a test set and the bay level
equipment. The technician also has direct access to the front panel of the equipment under test.
Other sets of tools allow P&C engineers to remotely manage, configure, and test protective relays
at a system level. These test sets reduce the amount of time re quired to create complex logic
schemes. A disgruntled employee or contractor has the knowledge and access privileges to modify
these logic schemes to achieve the planned attack objectives.
22
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Continuing with a hypothetical future attack, this scenario assumes that a relay engineer and a
system operator are willing to collaborate to ensure effective execution of the cyber -initiated attack.
They have agreed to alter mission-critical protection and control set points to levels that, in
response to a minor disturbance, will cause the multiple distribution breakers to trip and disrupt
services to selected first-responder customers. The relay engineer selects the set points and
23
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
changes their value. The system operator monitors the changes and accepts the changed set point
values 9.
An automated security manager reads all logged data, then it initiates the procedures to filter the
data, and associates the changes to define a risk profile. As a minimum, the automated security
manager should execute the following steps.
Correlation of connections established by the access control system is needed. For example, when
the same ID is seen in a Paris substation at 12PM, and then in a Lyon substation at 13PM, there
is a problem because this is not possible and should be flagged.
Lastly, the finely-tuned analysis of business use cases and correlation of information between
services should be the basis for a well-formed security management policy, procedure, and
organizational directives.
Myers, Sabelfeld and Zdancewic published a paper “Enforcin g Robust Declassification.” WG D2.38
translated and mapped the declassification approach into the framework described in this technical
brochure (19). Unlike access controls, information flow controls track the propagation of E PU OT
9 For this scenario, WG D2.38 assumed the EPU’s operational policy requires the system operator to confirm and accept
or reject changes to mission-critical P&C set points. If accepted (confirmed) the set point change is in effect enabled.
If the change is not accepted, the set point change will default to the previous value.
24
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
and IT messages. Tracking can be used to impose an end -to-end requirement on the behaviour of
the EPU system under consideration (SuC). The translation of the following definition is particularly
interesting.
The SuC is secure if an active (insider) attacker (who can observe and modify a part of the SuC
state) may not learn more sensitive information than a passive attacker (who can merely observe
visible data). For example, within a substation, IEC 62351 emphasis on GOOSE message integrity
is a good application of this definition.
As a preamble to attacking the system (and after attacking a system), the attacker observes the
subsequent execution of the system. If the EPU has installed a secure intelligent monitoring
(IntelligentCorrelator) system, it is possible to capture the preamble attack data. The Precursor
agent shown in Figure 3 then processes these data. Correlating the observations to generate an
actionable intelligence report is critical to the discovery of the insider attack team.
Strictly controlling such modularity requires each module functional capability and its interface
specification. WG D2.38 selected the universal modelling language (UML) for this project because
it provides the needed specification construct and visualization 10.
Further to the above, there are different functional focus areas such as substation control
architectures, transmission-specific or distribution-specific architectures, and edge remote access
architectures.
It may not be realistic to have a unifying general architecture that encompasses all areas of
concern to the EPU. However, any critical infrastructure architecture should address the following
areas:
10 MagicDraw by No Magic is the tool used to develop the constructs presented in this technical brochure. Magic draw
may be downloaded from www.magicdraw.com.
25
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Given the future adoption of cloud computing to support EPU operations and related business
functions, response to a wide-variety of security threats must be integrated into deployment
strategies to protect the use of cloud-based services.
26
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
1) Commercial tools are available to collect, process and report cyber threat data. EPUs cannot
claim that lack of tools is why they don’t maintain and monitor logs of security data to
generate alarms created by abnormal access or use of protection and control (P&C) networks
and IEDs.
2) The major impediment to converting security data to actionable information is the need for
personnel with specialized cybersecurity training.
3) Although teamwork is important, EPUs still rely mainly on IT personnel to lead investigative
teams with OT personnel playing a support role.
4) The preferred metric to measure impact is downtime per hour, but system average
interruption disruption index (SAIDI) and system average interruption frequency index
(SAIFI) are important supporting metrics.
5) EPUs generally use their own subject matter experts to build a consensus of the strength of
security needed to mitigate interference with, interruption of, or disablement of their P&C
operations. They find it too difficult to use the esoteric approaches described in eme rging
standards and guidelines, and prefer to stay focused on the perceived impact to operations.
6) EPUs are most worried about cyber-attacks targeting control room or integrated security
operation centre (ISOC). They further believe that a compromised insid er is needed to
execute an effective cyber-attack. However, the robustness and resilience (hot backup and
hot switch-over capabilities) built into their P&C architecture is very effective in thwarting a
cyber-attack.
7) In relation to remote services, the EPU’s security architecture needs meet the border and
edge security requirements, which have stricter requirements and controls than internal
networks. This is because security measures (both technical and non -technical) affecting
remote services are often first line of defense on the entry points of untrusted entities.
8) Staging of patches in a test or development environment is highly recommended for
assurance of the patches. It provides an early detection of compatibility issues with control
systems software and with host-based monitoring in the test environment, provides detection
of any behavior change of the system after applying patches. For example, sudden increase
in network traffic, previously unseen network traffic and sudden high memory or CPU usage.
1) Maintain an up-to-date list of all critical EPU assets, configurations, and settings. Most
importantly, the interaction between automated I ED initiated actions should be well
documented and be up-to-date.
27
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
2) EPU employees and support contractors should be periodically briefed on security threats,
security policies, procedures and organizational directives to maintain a heighted awareness
to the security situation. All such briefings should require a signature by the participants
indicating they understand the security issues and their individual responsibility to comply
with EPU security directives and local laws and regulations.
3) Abnormal operations should be logged and reported in a timely manner. Given the nature of
these data, automated processing of reports is critical to ensure the proper fusion of related
data to provide actionable information to the proper authority. Well understood metri cs 13
should be used to trigger response alerts.
4) Persistent protection of data by encryption, throughout the data lifetime, is the ideal
objective. Practical limitations involving less capable devices and legacy systems will enter
here as restraints to the objective. However, encryption of the data itself, independent of the
protocol involved, at point of origination, makes the secure use of any available transmission
or storage mechanism plausible and practical using Internet engineering task force (IETF)
request for comment (RFC) 5652 or ANSI X9.73 both entitled Cryptographic Message Syntax.
5) Information sharing is more difficult in the EU because defense and public order are
sovereign duties of member states, whereas welfare of people and economy are the
responsibility of European agencies like European Union Agency for Network and Information
Security (ENISA) for cybersecurity. Member states are individually passing cybersecurity laws
for defense and public order. For example, in France vulnerability disclos ure should be kept
secret and only be shared with the French cybersecurity agency. EPUs whose activities are
related to public order must comply with this regulation. It is a serious offence and a criminal
sanction if they do not comply. Even direct sector ial cooperation or direct vendor notification
is non-compliant with this regulation.
1) Complete isolation from untrusted sources. Nothing – not data, commands, or even protocol
signalling from the outside should enter a protected network.
2) Complete protection from external untrusted sources. When an untrusted external source on
attempts access though a security gateway to a protected network to take remote control of
IEDs; that attack will probably fail, but is not 100% guaranteed. Additional defense in depth
is needed to counter such attacks.
3) Complete protection from external denial of service attacks against protected assets. When
an untrusted source on an external network tries to transmit traffic through the gateway to
impair the operation of control system assets, none of those packets arrive on the control
system network. The gateway hardware should be incapable of transmitting anything back to
the control system.
4) Complete protection from sophisticated worms and other malware which can propagate
across networks. No set of unpatched, zero-day, or other vulnerabilities can cause the
13 Metrics should conform to the Jaquith requirements (67) A. Jaquith, Security metrics : Pearson Education, 2007.
28
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
receiving gateway hardware to transmit malware or other information into the protected
network.
5) Protection from malware which takes instructions from servers over the public networks.
Gateway appliances should make it impossible to receive commands from ser vers on
untrusted networks.
1) Invest in the necessary expertise to define and implement continuous tuning and operation
of the security information and event management (SIEM) and analysis tools, in “hunger
investigators” to proactively identify compromises.
2) Use forward-leaning technologies, like user and entity behaviour analytics (UEBA), and
advanced threat defense solutions like end point detection and response (EDR) and network
traffic analyser (NTA) to extend SIEM capabilities to detect advanced threats.
3) Monitoring to detect targeted attacks requires a balance of active SIEM administration and
tuning, visibility beyond security operations people and tools, and investment in
complementary detection technologies, and mature processes that cut across the IT and O T
organizations.
29
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
30
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Gateway inspector: Each EPU network segment should include a DLP gateway that monitors and
enforces DLP policy based on controls such as block, quarantine, route to encryption gateway,
audit and log, pass, alert and notify, severity block and severity quarantine, and redact over
the network segment covering all channels and ports on all protocols.
Endpoint protector: An agent that monitors and enforces automated DLP policy based controls
for data-in-motion to all endpoint and removable media. Controls such as block, encrypt, audit
and log, notify and alert on violations of confidentiality data, integrity data, and application
data.
eDiscovery: An agent that discovers, classifies and remediates confidentiality data, integrity data
and application data stored in locally control led repositories, file shares, etc. Remediation
includes the capability to “copy to”, “move to”, “delete”, or enforce digital rights management
(DRM) policy in real time.
Digital rights management: An agent that enforces automated DLP policy based controls for
data-in-use by controlling the entity (human or machine) that can access a file, where they
can access the file, and when or where the can be accessed.
At the perimeter of each EPU network segment, reduce the threat footprint by blocking a wide
range of unwanted applications and then inspecting the allowed applications for threats – both
known and unknown. Key perimeter protection for the next-generation firewall includes the
following enablement requirements 15.
Identify applications, not ports: Classify traffic, as soon as it arrives at the firewall, to
determine the application identity, irrespective of pr otocol, encryption or evasive tactic. Use
that identity as the basis for all EPU security policies.
Tie application usage to user identity, not IP address, regardless of location or device:
Employ user and group information from EPU managed directories or approved third-party
directories to deploy consistent enabling policies for all users, regardless of location or device.
14 Contributions from GTB Technologies (www.gtbtechnologies.com) were used to develop the tool set for data loss
prevention.
15 Contributions from Palo Alto Networks (www.paloaltonetorks.com) were used to develop the tool suite for perimeter
defense.
31
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Protect against all threats – both known and unknown: Prevent known vulnerability exploits,
malware, spyware, malicious uniform resource locators (URLs) while analysing traffic for
tunnelled traffic and automatically delivering protection against highly targeted and previously
known malware.
Simplify policy management: Enable EPU applications and reduce administrative efforts with
easy-to-use graphical tools, a unified policy editor, templates, and device groups.
4.2.1 Focus on classifying traffic
Cyber threats can easily bypass a port-based firewall by hopping ports using SSL and SSH sneaking
across port 80, or by using non-standard ports (22) (23). Port-based firewall vulnerabilities are
discussed in Annex D. Products such as AppID™ 16 address the traffic classification visibility
limitations of traditional firewalls by applying multiple c lassification mechanisms to the traffic
stream to determine the exact identity of the application traversing the EPU network segment.
Unidentified applications, typically a small percentage of traffic, yet high in potential risk, should
for systematic management based on control and inspection, threat forensics, etc. automatically
be categorized.
Block known threats (IPS and network antivirus/anti-spyware: The capability to use a
uniform signature format and a stream-based scanning engine to enable the EPU to protect
the network segment from a broad range of threats.
1) Intrusion prevention system features block network and application-layer vulnerability
exploits, buffer overflows, denial of service (DoS) attacks, and port scans.
2) Antivirus/anti-spyware protection blocks malware variants, malware -generated command and
control traffic, PDF viruses, and malware hidden within compressed files or web traffic.
3) Policy-based SSL decryption across any application on any port protects against malware
moving across SSL encrypted applications.
Block unknown, targeted malware: The capability to identify and analyse unknown or targeted
malware, which directly executes and observes unknown files in a cloud -based, virtualized
environment.
Identify bot-infected hosts: The capability to classify all applications, across all ports, including
any unknown traffic to expose anomalies or threats to the EPU network or network segment.
1) The behavioural botnet report should correlate unknown traffic, suspicious DNS and URL
queries and a variety of unusual network behaviours to reveal devices that malware can
likely infect.
2) Display the results in the form of a list of potentially infected hosts to investigate possible
members of a botnet.
16 App-ID™, a patent-pending traffic classification system is only available in Palo Alto Networks firewalls. App-ID™
instantly applies multiple classification mechanisms to your network traffic stream, as soon as the device sees it, to
identify accurately applications.
32
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Limit unauthorized file and data transfers: The capability to filter data based on EPU security
policies that will reduce the risks associated with unauthoriz ed file and data transfers.
1) File transfers should be controlled by looking inside the file (as opposed to looking only at
the file extension), to determine if the transfer action should be allowed or not.
2) Unless sent from a well-authenticated and trusted source, executable files, typically found in
downloads from remote configuration tools to upgrade protection relays, can be blocked,
thereby protecting EPU networks and network segments from unseen malware propagation.
3) Enable data filters to detect and control the flow of sensitive data within the EPU network
and network segments. IEC 62443 offers guidelines to restrict such data flows in a federated
and segmented architecture.
Control web or cloud surfing: The capability to customize the filtering engine to apply EPU
granular browsing policies requires integration with the vendor’s tool suite.
4.2.3 How effective is whitelisting?
The purpose of application whitelisting is to protect the host environment and applications from
unauthorized code (malware-based injection, remote-execution), thereby compromising the host
environment (24).
According to the US National Security Agency (NSA), application whitelisting is not a replacement
for traditional security software, such as antivirus and host firewalls (25). Using whitelists is one
layer in a defense-in-depth strategy. Table 4-1 shows the advantages and disadvantage listed by
NSA.
Advantages Disadvantages
Blocks most current malware Requires performance overhead to enforce the whitelist
(varies greatly depending on implementation)
Prevents use of unauthorized applications Requires regular maintenance of the whitelist to add
new applications and remove ones that are no longer
approved
Does not require daily definition updates Causes some users to be annoyed beca use they cannot
download and run applications at will
Requires administrator installation and approval of new Requires additional time and manpower to maintain.
applications
Jim Beechey concludes in his report that whitelisting provides a dramatic improvement in the level
of visibility into files being introduced into an environment (26). This can be extremely helpful for
incident responders. To reduce significantly the risk of today’s malware organizations [EPUs] can
use the technology. This helps reduce the likelihood of system compromise and reduces cost of
staff to deal with malware related issues.
Considering the nature of application whitelisting, it is most useful in static environments, i.e.
where there is a very low rate of change, resulting in a reduced operational overhead in
maintaining a valid whitelist. These include systems that are updated less frequently (where
availability is of the utmost priority), undergoes fewer configuration changes and have little n eed
to install additional software after commissioning. Examples of such systems include SCADA
servers, HMIs and Engineering Workstations.
33
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
34
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
1) Train defenders on using tools such as YARA (which is open sourced) to scan digital images
and evidence collected from the environment, but do not perform scans in the production
environment itself (17). YARA is a popular tool that provides a robust language, which is
compatible with Perl-based Regular Expressions, and is used to examine the suspected
files/directories and match strings as is defined in the YARA rules with the file – see
http://resources.infosecinstitute.com/yara -simple-effective-way-dissecting-malware/.
2) Commercially available tools provide the ability to perform penetration testing. Howev er,
penetration testing is largely an art form that requires specialized skills. One example of the
skills needed is describe by the INFOSEC Institute – see
http://resources.infosecinstitute.com/category/pen-testing-1/.
3) Phishing can take many forms and can be achieved with many tools and techniques. The
most common tools and techniques that are used to carry out phishing scams are described
by the INFOSEC Institute – see
http://resources.infosecinstitute.com/category/enterprise/phishing/phishing -tools-
techniques/.
4) The INFOSEC Institute describes the procedure and tools need ed for forensic investigation.
One such tool is Redline – see http://resources.infosecinstitute.com/forensic-investigation-
with-redline/.
5) Wurldtech Technologies offers the Achilles Test Platform to test the robustness of
communication for industrial and automation devices (PLCs, DCS and others) . Such tests are
used to discover known and unknown vulnerabilities for remediation. A fact sheet d escribes
the Achilles Test platform – see
https://www.wurldtech.com/sites/default/files/achilles_test_platform_fact_sheet.pdf .
6) Invest in the necessary expertise to define and implement continuous tuning and operation
of the security information and event management (SIEM) and analysis tools, in “hunger
investigators” to proactively identify compromises. Focus attention on two areas:
a) Use SIEM to monitor privileged users and user activity.
b) Monitor changes to identity and access policies
7) Use forward-leaning technologies, like user and entity behaviour analytics (UEBA), and
advanced threat defense solutions like end-point detection and response (EDR) and network
traffic analyser (NTA) to extend SIEM capabilities to detect advanced threats.
35
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
One of the commercial tools available is the Fortinet FortiSIEM threat and security intelligence
product (28). Some of the services provided by FortiSIEM:
36
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
37
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
38
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Well after the event, the post-mortem analysis begins by gathering the evidence collected during
the incident and performing detailed analysis to determine the cause of the incident, the corrective
action and the procedure to mitigate a future occurrence that closes the incident. Figure 5 shows
the framework for the incident-handling module and the sub-modules.
39
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
7.2.2 Post mortem analysis and closure – “How and why did the event (incident) occur?”
Frank L. Greitzer (30) describes the combination of traditional cybersecurity audit data with
psychosocial data to support a move from an insider threat detection stance to one that enables
prediction of potential insider presence. Data fusion specialist commonly refer to the approach
shown in Figure 6 as “connecting-the-dots.” The precise algorithms needed to implement this
approach are well-beyond the scope of this technical brochure.
Instead, WG D2.38 defines a system dynamics model that focuses attention on the need to collect
automatically the data for post mortem analysis and describes a list of the technical parameters
for effective data fusion.
40
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Adapted from Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modelling for
Insider Threat Mitigation, F. Greitzer and D. Frincke, PNNL-SA-67978, 2010. Adapted with permission.
17 Graphic notation conforms to OMG’s Business Process Model and Notation (BPMN) [33] P. Wohed, W. M. van der
Aalst, M. Dumas, A. H. ter Hofstede, and N. Russell, On the suitability of BPMN for business process mode lling :
Springer, 2006.
41
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Identify
Coordination YES Assist Investigation Resolution
Vulnerability
Notify Vendor Notify Public
Unresponsive Unresponsive
Adapted from Coordinated Vulnerability Disclosure Reporting at ICANN , Version 2, Updated 5 August 2013. Reprinted
with permission.
Except for the last step, disclosure, notify public, the process described in Figure 7 applies to each
stage of the incident described in Figure 5. At each stage, the quality of information varies from
very preliminary (first look) to a well-supported conclusion leading to the resolution of the incident
and its closure. Disclosure of the public notification requires reaching a well -supported conclusion.
Certain vulnerabilities – for example, where the consequences of an event may (indirectly) affect
parties too numerous to contact directly, or where the potential for power deliver service
interruption is imminent or high – may require activation of broader crisis management handling
measures than are available within the EPU. In this case, the report and supporting da ta need to
be turned over to an entity with a wider reach to the stakeholders (e.g., international, inter -
governmental).
EPU reporters should include as much of the following documentation as possible in a vulnerability
or threat report. The tool set, which is the subject of this technical brochure, should provide the
means to collect automatically the data and, with human annotation of the findings, should provide
a coherent picture of the vulnerability or threat.
42
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Adapted from Coordinated Vulnerability Disclosure Reporting at ICANN , Version 2, Updated 5 August 2013. Adapted with
permission.
For other cybersecurity incidents, the European Commission has passed a directive called NIS
(Network and Information Security) that will be enforced in 2018. The directive leverages the
capabilities and authority of existing computer security incident response team (CSIRT) and
member states cybersecurity agencies (called national coordination point in the directive).
Breaches should be reported to national cybersecurity agencies that cooperate with the other
Member States under the ENISA association.
ENISA is seeking a sectorial coordination at the EU level. Some associations are emerging; e.g.,
European Network for Cyber Security (ENCS) 18. This is a new initiative that has some overlap of
responsibilities and authority with the TSO-DSO 19. It is too early to have a clear view on which
18 See https://www.encs.eu.
19 TSO-DSO has a broader role for the energy market and not just for cybersecurity.
43
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
associations will have control over sectorial cybersecurity, sectorial for a broader role, or European
wide. Moreover, as for any directive it must be translated into national laws for every Member
State, and some states may choose to enforce stricter incident disclosure rules.
Figure 9 shows EPRI’s view of a potential architecture for an ISOC. The ISOC also includes
vulnerability and threat information from external sources, such as information sharing and
analysis centres (ISACs), computer emergency readiness teams (CERTs), and law enforcement.
Adapted from Guidelines for Planning an Integrated Security Operations Center, by G. Rasche, December 2013, EP RI .
Adapted with permission.
Derived from several sources are EPRI’s guideline (including but not limited to sources (33) (34)
(35) (36). Commensurate with Figure 5, EPRI identified the key technologies used in an ISOC.
Figure 10 shows EPRI’s view of these technologies.
44
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Adapted from Guidelines for Planning an Integrated Security Operation Center, by G. Rasche, December
2013, EPRI. Adapted with permission.
45
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
46
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
8. BIBLIOGRAPHY
1. Deligati, L. SysML distilled Abrief guide to the system modeling language. s.l. : Addison-Wesley, 2013.
2. S. Friedenthal, A. Moore, and R. Steiner. A practical guide to SysML: the system modelling language. s.l. : Morgan Kaufman,
2015.
3. "Preliminary Cybersecurity Framework," Guideline. 2013.
4. Nagle., R. Smith and T. NIST Cybersecurity Framework: Is It Going Off The Rails? JD Supra Business Advisor.
Available: www.dsupra.com/legalnews/. 2013.
5. E. M. Hutchins, M. J. Cloppert, and R. M. Amin. "Intelligence-driven computer network defense informed by
analysis of adversary campaigns and intrusion kill chains,". Leading Issues in Information Warfare & Security
Research. 2011, Vol. vol1 p. 80.
6. Stanisteanu, A. I. "CRITICAL INFRASTRUCTURE ANALYSIS MODEL-ENERGY CRITICAL INFRASTRUCTURE,". The
International Annual Scientific Session Strategies XXI. 2015, Vol. vol 1 p 498.
7. Network, VVA Europe and Spark Legal. "Review of current national rules and practices relating to risk
preparedness in the area of security of electricity supply,". s.l. : European Commission, Luxermbourg: Publications
Office of the European Union, 2016.
8. Council, North American Electric Reliability. "Glossary of Terms Used in NERC Reliability Standards,". 2016.
9. Dion, K. Gordon and M. "Protection of'Critical Infrastructure'and the role of investment policies relating to
national security,". 2008.
10. A. D. a. S. Actemium, Arkoon-Netasq, A.R.C. Informatique, Atos Worldgrid, Hirschmann, Cassidian Cybersecurity,
et al. "Cybersecurity for Industrial Control Systems - Classification Method and Key Measures," French Network and
Information Security Agency. 2013.
11. L. Frenkel, D. Berko, and A. Ginter. "Experience with Unidirectional Security Gateways Protecting Industrial
Control Systems," ed: CRITIS, 2012. s.l. : ed: CRITIS, 2012.
12. Ginter, A. "Securing Power Generation with Unidirectional Security Gateways," ed: Waterfall Security Solutions
Ltd., August 2015. s.l. : ed: Waterfall Security Solutions Ltd., 2015.
13. —. "Introcution to Waterfall Unidirectional Security Gateways: True unidirectionality, True Security,". August
2012.
14. "Protecting Control Systems from Advanced Threats," in AFPM Annual Meeting 2012, 2012, p. 8. Ginter, A. s.l. :
in AFPM Annual Meeting 2012, p. 8., 2012.
15. "Data diodes in support of trustworthy cyber infrastructure,". Sheldon, H. Okhravi and F. T. s.l. : in Proceedings
of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, 2010, p. 23., 2010.
16. "Command & Control : Understanding, Denying and Detecting," . J. Gardiner, M. Cova, and S. Nagaraja. s.l. :
University of Birmingham, February 2014.
17. "Analysis of the cyber attack on the Ukrainian power grid - Defense use case,". Robert M. Lee, Michael J.
Assante, and T. Conway. s.l. : Electricity Information sharing and analysis center (E-ISAC), Washington, DC 20005,
Report, March 18, 2016.
18. "Decentralized robustness,". Myers, S. Chong and A. C. s.l. : in Computer Security Foundations Workshop, 19th
IEEE, 2006, pp. 12 pp.-256., 2006.
19. "Enforcing robust declassification," in Computer Security Foundations Workshop, 2004. Proceedings. 17th IEEE,
2004, pp. 172-186. A. C. Myers, A. Sabelfeld, and S. Zdancewic. s.l. : in Computer Security Foundations Workshop,
2004. Proceedings. 17th IEEE, pp. 172-186., 2004.
20. International Standards Organization, "ISO/IEC 27001:2013 - Information technology - Security techniques -
Information security management systems - Requirements,". Organization, International Standards. s.l. : ed:
ISO/IEC, 2013.
21. "The NIST definition of cloud computing," in National Institute of Standards and Technology vol. 53, ed, 2009, p.
50. Grance, P. Mell and T. s.l. : in National Institute of Standards and Technology vol. 53, ed, 2009, p. 50., 2009.
22. "Detection of illicit traffic based on multiscale analysis,". E. Rocha, P. Salvador, and A. Nogueira. s.l. : in
Software, Telecommunications & Computer Networks, 2009. SoftCOM 2009. 17th International Conference on, pp.
286-291., 2009.
23. Next-Generation Firewalls for Dummies. . Miller, L. C. s.l. : Hoboken, NJ: Wiley Publishing, Inc., 2011.
47
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
24. Raising the bar for Cybersecurity: Center for Strategic and International Studies. Lewis, J. A. 2013.
25. "Application Whitelisting,". Agency, National Security. s.l. : ed, 2013.
26. Beechey, J. "Application Whitelisting: Panacea or Propaganda," SANS Reading Room.[online] http://www. sans.
org/reading_room/whitepapers/application/application-whitelisting-panacea-propaganda_33599. Retrieved on
January, vol. 26, p. 2012, 2010. SANS Reading Room.[online] http://www. sans.
org/reading_room/whitepapers/application/application-whitelisting-panacea-propaganda_33599. Retrieved on
January, vol. 26, p. 2012, 2010. [Online] http://www. sans.
org/reading_room/whitepapers/application/application-whitelisting-panacea-propaganda_33599..
27. "Use SIEM for targeted attack detection,". Toby Bussa, Kelly M. Kavanagh, and O. Rochford. s.l. : Research from
Gartner, Fortinet, 30 June 2016.
28. "Fortinet FortiSIEM: Actionable Threat and Security Intelligence,". Palmer, T. s.l. : Enterprise Stategic Group
(ESG)July 2016., July 2016.
29. "Cybersecurity Standards: Managing risk and creating resilience," Computer, pp. 70-76. I. L. Zachary A. Collier,
Daniel DiMse, Steve Walters, Mark (Mohammad) Tehranipoor, James H. Lambert. s.l. : Computer, pp. 70-76,,
September 2014.
30. "Combining Traditioanl Cybersecurity Audit Data with Psycho-Social Data: Towardspredictive Modeling for
Insider Threat Mitigation," . Frincke, F. L. Greitzer and D. A. s.l. : Richland, WA PNNL-SA-67978, 2010.
31. Coordinated Vulnerability Disclosure Reporting at ICANN. https://www.icann.org/en/about/staff/security/.
[Online] (2013, August 5). https://www.icann.org/..
32. "Guidelines for Planning an Integrated Operations Center,". Rasche, G. s.l. : Palo Alto, CA, Update Report
3002000374, December 2013.
33. "Critical Infrastructure Protection (CIP) standards". Corporation, North American Electric Reliability.
34. Security, Department of Homeland. Recommended Practice: Creating Cyber Forensic Plans for Control Systems.
http://ics-cert,us-cert.gov/sites/default/files/forensics_RP.pdf. [Online]
35. "Recommended Practice: Developing an Industrial Control System Incident Response Capability,". Security,
Department of Homeland.
36. "Security and Privacy Controls for Federal Information Systems and Organizations,". Technology, National
Institute of Standards and. s.l. : I. T. L. Computer Security Division, Ed., Revision 4 ed. Gaithersburg, MD, April 2013,
p. 460., 2013.
37. "A System Dynamics Model of an Insider Attack on an Information System," . C. Melara, J. M. Sarriegui, J. J.
Gonzalez, A. Sawicka, and D. L. Cooke. s.l. : in Proceedings of the 21st International Conference of the System
Dynamics Society, July 20-24, 2003.
38. "Preliminary System Dynamic Maps of the Insider Cyber-threat Problem,". D. Andersen, D. M. Cappelli, J. J.
Gonzalez, M. Mojtahedzadeh, A. P. Moore, E. Rich, et al. s.l. : in System Dynamics Modelling for Information
Security: An Invitational Group Modeling Works.
39. "Security Requirements for Cryptographic Modules,". Technology, National Institute of Standards and. 2002.
40. On the suitability of BPMN for business process modelling. P. Wohed, W. M. van der Aalst, M. Dumas, A. H. ter
Hofstede, and N. Russell. s.l. : Springer, 2006.
41. Booz Allen Hamilton report. (August 25, 2016). Industrial companies in the Middle East facing risk of cyber-
attacks (September 2016 ed.). Available: http://www.bi-
me.com/main.php?id=71639&t=1&c=34&cg=4&mset=1011. Industrial companies in the Middle East facing risk of
cyber-attacks (September 2016 ed.). s.l. : Available: http://www.bi-
me.com/main.php?id=71639&t=1&c=34&cg=4&mset=1011, 2016.
42. Luene, G. Farnham and K. "Tools and Standards for Cyber Threat Intelligence,". s.l. : Technical Paper2013-10-
13.
43. Y. Zhang, Y. Xiang, and L. Wang. "Reliability Analysis of Power Grids with Cyber Vulnerability in SCADA
System,". s.l. : in IEEE Power & Energy Society General Meeting, Washington D.C., July 27-31, 2014.
44. Y. Xiang, L. Wang, and Y. Zhang. "Power System Adequacy Assessment with Probabilistic Cyber Attacks Against
Breakers,". s.l. : in IEEE Power & Energy Society General Meeting, Washington D.C., July 27-31, 2014.
45. I. Parvez, A. Islam, and F. Kaleem. "A Key Management-Based Two-Level Encryption method for AMI,". s.l. : in
IEEE Powwer & Energy Society General Meeting, Washington D.C., July 27-31, 2014.
46. Ginter, Andrew. Cyber-Physical Security pp 71. Switzerland : Springer, 2016.
48
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
47. S. Kamara, S. Fahmy, E. Schultz, F. Kerschbaum, and M. Frantzen. "Analysis of vulnerabilities in internet
firewalls," . s.l. : Computers & Security, vol. 22, pp. 214-232,, 2003.
48. M. Frantzen, F. Kerschbaum, E. E. Schultz, and S. Fahmy. "A framework for understanding vulnerabilities in
firewalls using a dataflow model of firewall internals,". s.l. : Computers & Security, vol. 20, pp. 263-270, 2001.
49. Casey, B. Identifying and preventing router, switch and firewall vulnerabilities. Available:
http://searchsecurity.techtarget.com/tip/Identifying-and-preventing-router-switch-and-firewall-vulnerabilities.
[Online] 2013.
50. "A SysML Extension for Security Analysis of Industrial Control Systems,". L. Lemaire, J. Lapon, B. De Decker, and
V. Naessens. 2014.
51. "An analysis of security issues for cloud computing,". K. Hashizume, D. G. Rosado, E. Fernández-Medina, and E.
B. Fernandez. s.l. : Journal of Internet Services and Applications, vol. 4, pp. 1-13, 2013.
52. "Security analysis in the migration to cloud environments," . D. G. Rosado, R. Gómez, D. Mellado, and E.
Fernández-Medina. s.l. : Future Internet, vol. 4, pp. 469-487, 2012.
53. "Security guidance for critical areas of focus in cloud computing v3. 0,". Alliance, Cloud Security. s.l. : Cloud
Security Alliance, 2011.
54. "OWASP Top-10 2013," . Wichers, D. s.l. : OWASP Foundation, February, 2013.
55. "Towards Trusted Cloud Computing,". N. Santos, K. P. Gummadi, and R. Rodrigues. s.l. : HotCloud, vol. 9, pp. 3-
3, 2009.
56. "Security for the cloud infrastructure: Trusted virtual data center implementation," . S. Berger, R. Cáceres, K.
Goldman, D. Pendarakis, R. Perez, J. R. Rao, et al. s.l. : IBM Journal of Research and Development, vol. 53, pp. 6: 1-
6: 12, 2009.
57. "An empirical study into the security exposure to hosts of hostile virtualized environments,". Ormandy, T. s.l. :
ed: Citeseer, 2007.
58. "Network security for virtual machine in cloud computing,". H. Wu, Y. Ding, C. Winer, and L. Yao. s.l. : in
Computer Sciences and Convergence Information Technology (ICCIT), 2010 5th International Conference on, pp.
18-21., 2010.
59. "On Cloud Now: Cloud Technologies are Here for Utilities," . Utilities, O. s.l. : ed,, 2016.
60. "Cloud computing applications for smart grid: A survey," . S. Bera, S. Misra, and J. J. Rodrigues. s.l. : Parallel and
Distributed Systems, IEEE Transactions on, vol. 26, pp. 1477-1494, 2015.
61. "Monitoring Requirements in Systems of Systems,". Rabiser, M. Vierhauser and R. s.l. : IEEE Software, vol. 33,
pp. 22-24, 2016.
62. "A requirements monitoring framework for enterprise systems,". Robinson, W. N. s.l. : Requirements
engineering, vol. 11, pp. 17-41, 2006.
63. "Monitoring our requirements," . Maiden, N. s.l. : IEEE software, vol. 30, pp. 16-17, 2013.
64. "Critical capabilities for identity and access management as a service worldwide," . Wynne, G. K. Neil. s.l. :
Gartner, Inc. ID: G00299338., 29 September 2016.
65. Standards for hybrid clouds. Sill, Alan. s.l. : Computing Edge. pp 30-33. , June 2016.
66. "Security Policy Transition Framework for Software Defined Networks," . J. Jacob H. Cox, R. J. Clark, and H. L.
Owen. s.l. : presented at the 2nd IEEE NFV-SDN conference, Palo Alto, CA USA, 2016.
67. Security metrics: Pearson Education. Jaquith, A. 2007.
49
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
50
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Note to entry: Block all other programs (including most malware) from running
by default. Application whitelisting enables only the administrators, not the users,
to decide which programs to run.
51
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Phrase Definition
cabotage transport of goods or passengers between two places in the same
country by a transport operator from another country
formal controls business structures and process that ensure the correct general
conduct of business and reduce the probability of an incident or
attack
information security location where enterprise information systems are monitored, assessed,
operation centre and defended
(ISOC)
52
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Phrase Definition
intrusion device or software application that monitors a network or systems
detection/protection for malicious activity or policy violations
system (IDPS)
Note 1 to entry: Intrusion prevention systems, also known as intrusion
detection and prevention systems, are network security appliances that monitor
network and/or system activities for malicious activity. The main functions of
intrusion prevention systems are to identify malicious activity, log information
about this activity, attempt to block/stop it, and report it.
Note to entry: The steps of this process are find, fix, track target , engage,
assess: find adversary [EPU] targets suitable for engagement, fix their location,
track and observe, target with a suitable cyber-based asset to create the desired
effects, engage the EPU assets, assess the effects. This is an integrated, end -to-
end process described as a “chain” because any on deficiency will interrupt the
entire process.
logic bomb piece of code intentionally inserted into a software system that will
set off a malicious function when specified conditions are met
Note to entry: A logic bomb requires the payload should be unwanted and
unknown to the user of the software. As an example, trial programs with code
that disables certain functionality after a set time are not normally logic
bombs.
53
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Phrase Definition
record of action documentation of the results developed from the analysis of a
specific action
54
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Phrase Definition
spear-phishing an email that appears to be from a known or trusted individual or
business
Note to entry: But it isn’t, it’s from the same hacker or criminal.
stateful inspection maintains the status of active connections through the firewall to
dynamically allow inbound replies to outbound connections
technical controls mechanisms that protect the system from incidents or attacks
technical security quantitative index of the enabling mechanisms that are appropriate
level (TSL) for the security requirements of the application and environment
[modify FIPS SP 140-2 (39) usage]
55
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Phrase Definition
unidirectional a combination of hardware and software whose hardware is
gateway physically able to transmit information in only one direction, and
whose software replicates servers and emulates devices.
usability specification of the fitness for use of a Solution for its users and
requirement other actors
AV anti-virus
56
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
IT information technology
OT operational technology
57
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
SP special publication
VM virtual machine
58
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
The SANS Institute published a paper describing the effective use of cyber threat intelligence (CTI)
data (42). The authors describe a set of nine capabilities to process cyber threat intelligence data
obtained internally and from external sources. CIGRE WG D2.38 used the SANS capabilities to
develop the questions for the global survey. Shown below is WG D2.38’s description of the required
capabilities.
Question
Question asked Response options Objective
ID
Within your EPU is IT or OT the IT, OT, or either depending on the Describe
5
cybersecurity team leader? cyber-physical incident. separation of
59
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Question
Question asked Response options Objective
ID
Does your EPU form a single duties &
cybersecurity team or are the team information
6 Single team or Separate team sharing issues.
structure separated between IT
and OT?
60
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Question
Question asked Response options Objective
ID
Do you use a forced outage rate
(FOR) model to forecast the YES, NO
occurrence of forced outage on a Cyber-robustness
13 If NO, describe how the impact is
component which indicates the metric
unavailability status and the impact assessed.
of the cyber-attack?
61
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Question
Question asked Response options Objective
ID
None of the above
ISO 27000
Which of the documents (if any) do NIST 800-53 Revision 3 or earlier
24 use to establish security assurance Other
requirements? IEC 62443-3-3 (ISA 62443-3-3)
IEC 62443-2-1 (ISA 62443-2-1)
NIST 800-53 Revision 4
What method was used to identify Our own subject matter expert.
25 the minimum-security
requirements? Developed our own method.
For most questions, findings and observations for the two major subgroupings (North America and
International) were quite similar. However, when international regions were placed in smaller
subgroups, the North American and European responses were strikingly similar, while th ere were
substantial differences observed for the responses to some key questions from utilities in Latin
America, Africa and the Middle East, and the Asia -Pacific countries.
Question
Question asked Response summary
ID
62
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Question
Question asked Response summary
ID
Nearly 70% of the subset of utility officials responding to this
Do the tools require specialized
question indicated that specialized knowledge and training in
2 knowledge and training in
cybersecurity analysis is required to effecti vely operate the
cybersecurity analysis?
cyber tools.
Are the tools automated to Nearly three quarters of the responding subset of utility
facilitate data collection, sorting, officials (who had earlier indicted having cyber tools) reporte d
3
and use of standard report that cyber threat tools are automated to facilitate data
templates? collection, sorting and use of standard report templates.
Downtime per hour was cited more frequently than other listed
measures. SAIDI and SAIFI were also important measures.
SAIDI is the average outage duration for each customer
What measure of downtime is used served. SAIDI is measured in units of time, often minutes or
9 to evaluate impact or severity of a hours.
fault regardless of its cause?
SAIFI is the average number of interruptions that a customer
would experience. In other words, SAIFI is measured in units of
interruptions per customer.
Using the methodology in question Sixty-one percent cited “in-depth knowledge of system and
5, do you normally have consensus settings is required to effectively execute a cyber -attack.”
11
on the following factors? Check all Fifty-eight percent indicated “the cybersecurity systems
that apply. adequately thwart probing of the operational networks.”
The most important operational impact of the eight listed
Rank order (1=highest, 6=lowest)
security breach scenarios based on the replies from utility
the impact of security breach
12 officials would be an attack in the control room or control
scenarios on your utility’s
centre, followed closely by an insider attack. All eight scenarios
operation.
were viewed as having significant impact on operations.
63
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Question
Question asked Response summary
ID
Do you use a forced outage rate One quarter of the 30 respondents to this question were using
(FOR) model to forecast the a FOR model to forecast the occurrence of a forced outage on
occurrence of forced outage on a a component indicating unavailability status and the impact of
13
component which indicates the the associated cyber-attack. North American officials were
unavailability status and the impact much more likely to use a FOR model than were their
of the cyber-attack? international counterparts (46% to 12%).
Which of the document(s) do you This question was only asked of North American e lectric utility
21 use to establish security assurance respondents. Four responded and none used any of the
requirements? documents listed.
64
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Question
Question asked Response summary
ID
More than one-half of the replies indicated no use of any of
Which of the documents (if any) do
the five listed documents, while two officials cited “other”
24 use to establish security assurance
documents: NERC CIP and the New Zealand’s (NZ) draft
requirements?
cybersecurity standard.
65
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
66
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
The following year, 2004, twenty-five researches from eight institutions continued the work
and published system dynamics models of insider and outsider cyber -attacks with the objective
to improve organizational security and survivability by suppression of dynamic triggers (38).
They noted that the distinction between insider and outsider is possibly dynamic in that a
partner for one activity may be a competitor or adversary for another. WG D2.38 applied this
guideline to the requirement specification for tools.
Of particular interest to WG D2.38 is their view of how well targeted actions can reduce the
technical security level of the system. Furthermore, the model illustrates how the lack of formal
controls manifests in the way management perceived the security level of the system in terms
of downtime instead of in terms of security audits or other established formal controls.
Logic bombs used to gain control over the system introduce “time delays” which must be
considered to correlate accurately time-tagged status data for precursor analysis and impact of
downtime. Additional insight into quantifying time delays can be derived from examining other
models that focus attention on specific targets of opportunity; e.g., SCADA system (43), breaker
tripping (44), and advanced metering infrastructure (45).
With adequate SLM capabilities, the security level is continuously checked against current
performance of the security systems (malware scanner, patch systems, etc.). With proper
awareness training, early on deviations are recognized and adjustments made to the security
systems.
Author’s Note: at the time of this report, the following clauses identify global survey questions
and to interpret responses to the questions. In the future, WG D2.38 may use the equations to
generate parametric data to evaluate cyber -physical sensitivity issues. For now, the clause and
equations are preliminary, rough draft thoughts. However, before running simulations WG
D2.38 needs to establish proper scenarios, targets of opportunity, and time scales.
WG D2.38 examined Melara’s (37) view of downtime, replicated in Figure 11, to identify these
factors. In accordance with this view, WG D2.38 focused attention on tool set requirements,
21 This technical brochure uses Vensim PLE for Windows is to develop the system dynamics model. The notation
used in the model is readily available in the Vensim user’s guide available from
http://vensim.com/docs/#user8217s-guide.
67
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
which if properly implemented provide the means to effectively manage the technical security
level. Two rate parameters (impact of incidents and downtime recovery) automate SLM.
Time Bomb
Severity Effect of Technical Severity
<Technical Level on Time Bomb
Security Level> Severity
Precursor Incident
Severity
Adapted from A System Dynamics Model of an Insider Attack on an Information System, by C. Melara, et.al. Adapted with
permission.
Where
Time Bomb Incident = DELAY FIXED (3 ∗ Incident Unit ∗ Preparing Time Bomb, 6, 0) Eq. 4
NOTE Measured in DS
68
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
NOTE Set as DS
NOTE Set as DS
NOTE Measure in DS
Fractional Effect of Formal Controls on Mgmt Time to Perceive Technical Security = 4 Eq. 17
69
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
WG D2.38 examined Melara’s view (37) of security level reduction, replicated in Figure 12, to
identify these factors. These factors and those in clause C.3 were used to formulate the
questions for the global survey outlined in Annex B, and then to understand the respondent’s
answers to the survey. Examination of Figure 10 identified five important factors for this
purpose.
Insider Decision to
Attack
Insider Actions to
Reduce Technical
Technical
Security Security
Technical Security Level Technical Security
Desired Technical Increment Reduction
Security
Init TSL
Insider Capacity to
Reduce Technical
Insider Actions Security Formal
Severity Controls
Fractional Time Management Perception
Increment Time to Increment
Technical Security of Technical Security
Time to Reduce
Technical Security Insider Desired
Technical Security
Reduction
Pressure to Grow
Fractional Effect of Downtime
Mgmt Commitment on Management Perception of Time to Perceive
to Security <Downtime> Technical Security Techncial Security
Adapted from A System Dynamics Model of an Insider Attack on an Information System, by C. Melara, et. al . Adapted
with permission.
70
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
1) Firewalls are routers with filters, forwarding some subset of network traffic from one
network to another. For attack packets to penetrate a firewall, the packets must be
crafted to contain attack information and defeat the firewall filter software.
2) All firewalls are software, and all software has vulnerabilities – firewalls are no exception.
Firewall firmware update programs should promptly apply security updates for known
vulnerabilities. Even with such programs though, f irewalls are always vulnerable to so-
called zero-day vulnerabilities.
3) Firewalls are configurable, and so stolen administrator credentials for a firewall can
generally be used to reconfigure the firewall into an insecure state. In the worst case, a
compromised or otherwise mis-configured firewall is no more than a router.
D.2 WHY PORT-BASED FIREWALLS ARE NOT EFFECTIVE
Lawrence Miller described in simple terms why port -based firewalls are no longer effective (23).
Port-based firewalls (and their variants) use source/destination IP addresses and TCP/UDP port
information to determine whether to allow a packet to pass between networks or network
segments. The firewall inspects the first few bytes of the TCP header in an IP packet to
determine the application protocol – for example, SMTP (port 25) and HTTP (port 80).
Most firewalls configurations allow all traffic originating from the trusted network to pass
through to the untrusted network, unless specifically blocked by a rule. For e xample, the Simple
Network Management Protocol (SNMP) might be explicitly blocked to prevent certain network
information from being inadvertently transmitted to the internet [or from the operations
network to the business network]. This would be accomplished by blocking UDP port 161 and
162, regardless of the source or destination IP address.
Static port control is relatively easy. Stateful inspection firewalls address dynamic applications
that use more than one well-defined port (such as FTP ports 20 and 21). When a computer or
server on the trusted network originates a session with a computer or server on the untrusted
network, a connection is established. For stateful packet inspection firewalls, create a
temporary dynamic rule to allow responses or replies from the computer or server on the
untrusted network. Otherwise, explicitly permit the return traffic, or manually create firewall
access rules (which usually is not practical).
Malicious intent hidden by way of tunnelling within well-known protocols. For example, malware
propagates, extract information and issue control and command instructions via tunnelling
within HTTP or other commonly used protocols that seem harmless and willingly passed by the
traditional port-based firewall. However, when used in combination with application -aware
controls such as App-ID (see 4.2.2), traffic flows that are suspiciously out of the pr otocol norm,
such as tunnelled traffic, can be identified.
71
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
The firewall dataflow model, shown in Figure 13, gives an overall description of firewall by
detailing the operations they perform 22 . When a packet is received by a firewall, it first
undergoes link layer filtering. Then it is checked against a dynamic rule set. The packet then
undergoes packet legality checks and IP and port filtering. Finally, network/port address
translation is performed. Sophisticated firewalls also reassemble packets and perform
application level analysis. After a routing decision is made on the packet, out -bound filtering
may also be performed. Each of these operations is optional, and the order in which a traverse
them may also differ in different firewalls.
22 BPMN notation is used to modify the figure extracted from [47] S. Kamara, S. Fahmy, E. Schultz, F.
Kerschbaum, and M. Frantzen, "Analysis of vulnerabilities in internet firewalls," Computers & Security, vol. 22,
pp. 214-232, 2003.
72
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Packet reassembly
Routing decision
Packet release
Casey continues with the threat of border gateway protocol (BGP) redirection. “Another
potential danger in utilizing networked equipment is data loss. While attacks can be
accomplished several diverse ways, a method known as BGP redirection has become
increasingly troubling. BGP exchanges the routing information and unique identifiers known as
autonomous system numbers (ASNs) that are assigned by either the Internet Assigned Number
73
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Authority, or IANA, or Regional Internet Registries, or RIRs. When packets cross an ISP’s
gateway, the gateway can identity which ISP an individual packet came from by e xamining the
ASN in the packet’s header.”
1) Validation error: A validation error occurs when the program interacts with the
environment without ensuring the correctness of the environmental data. There are three
types of environmental data that need validation: input, origin, and target.
a. Input validation ensures that the input is as expected. This includes the number, type
and format of each input field.
b. Origin validation ensures that the origin of data is what it is claimed to be, e.g.
checking the identity of the IP source.
c. Target validation ensures that the information goes to the place it is supposed to. This
includes ensuring that the protected information does not go to an untrusted target.
2) Authorization error: An authorization error permits a protected operation to be invoked
without sufficient checking of the authority of the invoking agent.
3) Serialization/Aliasing error: A serialization error permits the asynchronous behaviour of
different system operations to be exploited to cause a security violation. Many time -of-
check-to-time-of-use flaws fall into this category. An aliasing flaw occurs when two names
for the same object can cause its contents to change unexpected ly, and, consequentially,
invalidate check already applied to it.
4) Boundary checking error: A boundary checking error is caused by failure to check
boundaries and ensure constraints. Not checking against excessive values associated with
table size, file allocation, or other resource consumption, leads to a boundary checking
error. Buffer overflow is the result of a boundary checking error.
5) Domain error: A domain error occurs when the intended boundaries between protection
environments have “holes.” This causes the information to implicitly leak out.
6) Weak/Incorrect design error: A design error occurs can be traced to the system design
phase. For example, a weak encryption algorithm falls into this category.
74
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
1) Execution of code: This occurs when a vulnerability can lead to code being illegitimately
executed. This includes, but is not limited to code written by an attacker.
2) Change of target resource: This occurs when a vulnerability allows the state of a resource
to be illegitimately changed by an attacker. A resource can be a host, a firewall rule table,
or any entity that should be protected by the firewall.
3) Access to target resource: This occurs when a vulnerability allows an attacker illegitimate
access to a target resource. Examples of this vulnerability effect include allowing an
attacker to read the firewall rule tables, of to find out which services are available on a
protected host.
4) Denial of service (DoS): This occurs when a vulnerability is exploited to disrupt a service
provided to legitimate users. Services in this context may range from packet forwarding or
network address translation to administration.
75
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
76
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
23 Netflow is a feature introduced on Cisco routers that give the ability to collect IP network traffic as it enters or
exits an interface. By analyzing, the data provided by NetFlow a network administrator can determine things such
as the source and destination of the traffic, class of service, a nd the cause of congestion. NetFlow consists of
three components: flow caching, flow collector, and data analyzer.
24 sFlow, short for "sampled flow", is an industry standard for packet export at Layer 2 of the OSI model. It provides
a means for exporting truncated packets, together with interface counters. The sFlow.org consortium, the
authoritative source of the sFlow protocol specifications, performs maintenance of the protocol. The current
version of sFlow is v5.
77
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
1) The responsible organizational unit should segment the network to separate devices with
different trust and risk values (e.g., front -facing, public servers vs. internal hosts storing
sensitive data). Consult IEC 62443-3-2 to develop effective segmentation architecture.
Other references are the ANSSI Cybersecurity for Critical Infrastructure standards.
2) The responsible organizational unit should enforce rate -limit policies to slow down traffic
directed to disreputable or un-trusted endpoints.
3) The responsible organizational unit should enforce the means to block unwanted or
unused communication mechanisms that may be used to piggyback control activity.
78
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Requirements specified in one or more standards, or derived by EPU experts are constrained
by the unique scope and focus of the operational environment and mission objective. To
exacerbate this situation several years separate the deployment of EPU operational systems,
subsystems and components. Thus, it is necessary to examine the relationship between
requirement objectives specified in all applicable sources. Such examination requires a coherent
methodology and tool set 25 to facilitate importing requirement objectives and subsequently
depicting these objectives in graphical, tabular, matrix, or tree structure format 26. The key
features used to develop conformance metrics include:
When a requirement nests other requirements, all nested requirements apply as part of the
container requirement (the requirement that contains all nested requirements. Deleting the
25 Many commercial tools are available to support RCA. The tool used to develop IEC 62443 -1-3 is MagicDraw® and
the Cameo Systems Modeler™ plugin that are available from No Magic, Inc. For more information about Cameo
Systems Modeler go to http://www.nomagic.com/products/cameo-systems-modeler.html.
26 SysML is the system modeling language. More information about SysML is found in [2] S. Friedenthal, A. Moore,
and R. Steiner, A practical guide to SysML: the systems modeling language : Morgan Kaufmann, 2015. A concise
description of the SysML notation is found in[1] L. Delligatti, SysML distilled: A brief guide to the systems
modeling language : Addison-Wesley, 2013.Model-based system engineering language (MBSE) is used to visualize
complexities introduced by integrating cybersecurity functionality into the functional requirements for industrial
control systems.
79
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
container requirement will thus delete all the nested requirements it contains; a functionality
inherited from UML. This technical brochure makes use of several requirement subtypes:
Usability requirement: A usability requirement specifies the fitness for use of a system for
its users and other actors.
80
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Collaboration diagrams are like UML’s activity diagrams with swim lanes to segregate
organizational roles and responsibilities 27.
choreography task – A task that defines a set of participants that exchanges messages to
complete a task. These are connected to each other and to events that trigger or are
generated by the task and other BPMN symbols as needed.
multiple participants’ marker – Applied to one or both choreography task participant
identifiers to show there’s a set of participants of the same kind.
sub-choreography – This is a plus symbol annotating the sub-choreography showing that it
contains a refined choreography with several interactions.
expanded sub-choreography – Looks like a big sub-choreography showing detailed
interactions in the diagram’s bounding box. The diagram is a detail of interactions (message
exchange) between participants.
F.3.3 Technical RCA
Unified modelling language (UML) structures form the basic building blocks for technical
requirements coverage analysis. Two model structures are integrated to develop conformance
specifications for technical requirement objectives: 1) capability model and 2) information (data)
model. “Profiles” provide the facility for adding specificity to basic UML concepts. The capability
model is used to define a UML shape as a capability rather than a class. The data model makes
the abstract more tangible, turning concepts from the information m odel into a format that can
be used for analysis. Three diagrams provide the facility for this analysis.
27 The description of business modeler diagrams implemented in Cameo™ is provided by No Magic, Inc.
81
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
c. Parametric diagram represents the usage of the constraints by binding the constraint
usage to the value properties of the block.
F.4 SYSML FRAMEWORK EXTENSIONS
F.4.1 Packages and packable elements
The model used to describe the conformance metrics in this document is derived using SysML
techniques. The model elements contained within a package 28 are called packable elements,
examples of which are blocks, use cases, and activities.
1) In addition to having a place in the containment hierarchy, each model element with a
name (called a named element) must also be a member of a namespace.
2) A namespace enables its members to be uniquely identified within it by name.
3) A package is a namespace for the packable elements it contains.
4) A packable element has a fully qualified name to locate it in the package hierarchy of a
model.
5) Elements contained in one package can be imported into another package by simply
referencing their name within that package.
6) Dependency is a relationship between named elements that can be specialized as need to
reflect specific semantics.
Containment is used to represent how a compound requirement can be partitioned into a set
of simple requirements. For example, the high-level cybersecurity requirements specified in a
package called the "Owner/Operator" package. The industrial control system (ICS) is viewed as
a system-of-systems. For example, consider a power plant (see Figure 1) that requires a safety
instrumented system (SIS) as one system that is part of the IACS.
28 Packages are best used to describe the organization of the system model. See chapter 10 in [1] L. Delligatti,
SysML distilled: A brief guide to the systems modeling language : Addison-Wesley, 2013. Also, this technical
brochure follows Delligatti’s recommendation on when to use packages and when to use block definition diagrams
(BDD) – See section 10.8.
82
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
One could easily argue that EPU analysts should examine the system model (see 0) and use
the BDD tools to develop a workable model of their domain of interest. Delligatti (1) and others
(2) strongly recommend this as the first step to effectively visualizing the relationship between
system components, and by extension in this technical brochure the seamless integration of
cybersecurity controls and their management systems.
1) There is a distinction between definition and instantiation. Some elements (e.g. blocks,
value types, constraint blocks) represent definitions of types; other elements (e.g. part
properties, value properties, constraint properties) represent instances of those types.
Thus, a block represents a type of entity, not an instance. For example, a block named
Workstation represents a type that defines a set of properties that are common to all
instances. Each workstation EPU deploys is a distinct instance of that Workstation block.
2) Features come in two varieties: structural features (also known as properties) and
behavioural features.
83
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
84
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
1) On-demand self-service.
EPU organizations can unilaterally provision computing capabiliti es such as server time and
network storage, as needed to automatically update the information without requiring human
interaction with each service provider. The underlying assumption is that each EPU organization
may be free to select a cloud computing service provider that best serves their requirements
and constraints.
3) Resource pooling.
The cloud provider’s computing resources are pooled to serve multiple EPU consumers using a
multi-tenant model, with different physical and virtual resources dynamically assigned and
reassigned per consumer demand. Examples of resources include storage, processing, memory,
and network bandwidth. For example, access to historical records, topology configurations, and
settings data provides the information needed to reconfigure a protection scheme.
4) Rapid elasticity.
Capabilities can be elastically provisioned and released, in some cases automatically, to scale
rapidly outward and inward commensurate with demand.
5) Measured service.
Resource usage can be monitored, controlled, and reported, providing transparency for both
the provider and consumer of the utilized service. Such transparency satisfies a basic security
requirement to actively monitor all activity to identify anomalous behaviour.
85
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
supplier. The EPU organization does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, or storage, but has control over the deployed
applications and possibly configuration settings for the application -hosting environment.
1) Private cloud
Private cloud infrastructures are provisioned for exclusive use by a single EPU organization
comprising multiple departmental units within the organization. It may be owned, managed,
and operated by the EPU host organization, a third part y, or some combination of them, and it
may exist on or off the premises.
2) Community cloud
Community cloud infrastructures are provisioned for exclusive use by a specific community of
EPU organizations that have shared concerns (e.g. mission, security requir ements, policy, and
compliance considerations). It may be owned, managed, and operated by one or more of the
organizations in the community, a third party, or some combination of them, and it may exist
on or off the premises.
3) Public cloud
Public cloud infrastructures are provisioned for open use by the public. They may be owned,
managed, and operated by a business, academic, or government organization, or some
combination of them. It exists on the premise of the cloud provider.
4) Hybrid cloud
Hybrid cloud infrastructures are composed of two or more distinct cloud infrastructures (private,
community, or public) that remain unique entities, but are bound together by standardized or
proprietary technology that enables data and application portability (e.g. cloud bursting for
load balancing between clouds).
1) Develop the expertise (in-house or purchased service) to understand the cloud services
they consume and the risks they represent, which makes compliance to local laws and
regulations difficult.
2) Develop a process supported by security policies, procedures, and organizational
directives to consistently verify compliance or the secure handling of sensitive data within and
across these disparate services.
86
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
To manage risk, each organization with membership in the EPU security team, needs to plan
for adaptive access. For example, restricting access based on the location, time of day or
whether the device is EPU managed. For this reason, it is important that CASB providers either
provide identity services, or they can link to the EPU’s identity repositories for the application
of policy.
When applicable, EPUs should use a CASB solution that support the optional encryption and/or
tokenization of data (at the field- or the file-content/object level) to comply with local laws and
regulations. Implemented properly, data protection using encryption/tokenization can be a
powerful way to protect sensitive data in the cloud. It can also prevent the cloud service
provider from seeing it. However, when implemented as an in-line proxy, this may
create a single point of failure for the cloud service being accessed . Because of this
issue, external cloud data protection should only be considered when it is demanded by
regulatory requirements. When this approach is used:
1) The EPU security team should acknowledge and design for the limitations of encryption or
tokenization performed outside the cloud service provider.
2) Don’t encrypt all SaaS data; choose only specific individual fields or files that requir ed to
be tokenized or encrypted.
Risk mitigation requires the EPU security team to continuously verify secure and compliant
usage of cloud services. The team should investigate and respond to exceptions using such
tools as security information and event ma nagement (SIEM).
For these reasons, moving critical EPU applications and sensitive data to public cloud
environments must be addressed. As a minimum, a cloud solution provider must ensure that
EPU organizational units using these services will continue to have the same security and
privacy controls over their applications and services, provide evidence to demonstrate their
organization are secure and they can meet their service -level agreements, and that they can
proved compliance to auditors.
1) With SaaS, the burden of security lies with the cloud provider.
87
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
2) By contrast, with the PaaS model, a greater extensibility and EPU control is available.
3) IaaS offers even greater EPU control over security than do PaaS or SaaS.
The challenge EPU’s face is if the security maturity of their organizational units is sufficient to
manage the increased security complexities introduced by the PaaS and IaaS models. If they
lack the necessary security maturity, they may either defer using cloud-computing services or
place their trust in a SaaS cloud provider.
G.2.3 EPU’s need to understand the relationships and dependencies between cloud
service models
The Cloud Security Alliance described the relationships and dependencies between cloud service
models (53). It is important for EPUs to understand these relationships and dependencies
before deciding how best to use cloud computing services. PaaS as well as SaaS are hosted on
top of IaaS; thus, any breach in IaaS will impact the security in both PaaS and SaaS services,
but also it may be true on the other way around.
EPUs decision makers should consider that PaaS offers a platform to build and deploy SaaS
applications, which increases the security dependency between them. Because of these deep
dependencies, any attack to any cloud service layer can compromise the upper layers 29.
Table G- 1 provides an initial check list for EPU analysis. The last column identifies the cloud
service model layer exposed to these threats; e.g., SPI is all three layers (SaaS, PaaS, and IaaS)
and I is IAAS. The authors of (51) concluded that data storage and virtualization are the most
critical and an attack on them can do the most harm.
V01 Insecure interfaces Cloud providers offer services that can be accessed through APIs SPI
and APIs (SOAP, REST, or HTTP with XML.HSON). The security of the cloud
depends upon the security of these interfaces. Some problems are:
a) Weak credential
b) Insufficient authorization checks
c) Insufficient input-data validation
V02 Unlimited allocation of Inaccurate modelling of resource usage can lead to overbooking or SPI
resources over-provisioning.
V03 Data related a) Data can be collocated with the data of unknown owners with we ak SPI
vulnerabilities separation.
b) Data may be in different jurisdictions which have different local
laws and regulations.
c) Incomplete data deletion – data cannot be completely removed.
d) Data backup done by untrusted third-party providers
e) Information about location of data usually is unavailable or not
disclosed to the responsible EPU organization.
f) Data is often stored, processed and transferred in plain text.
29 For a more in-depth understanding of these relationships, see[51] K. Hashizume, D. G. Rosado, E. Fernández -
Medina, and E. B. Fernandez, "An analysis of security issues for cloud computing," Journal of Internet Services
and Applications, vol. 4, pp. 1-13, 2013.
88
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
T01 Account or service An account theft can be performed by diverse ways such as social SPI
hijacking engineering and weak credentials. If an attacker ga ins access to a user’s
credentials, they can access sensitive data, manipulate data, and
redirect any transaction.
T02 Data scavenging Since data cannot be completely removed unless the device is destroyed, SPI
attackers may be able to recover this data.
T03 Data leakage Data leakage happens when the data is retrieved by an entity (person SPI
or device) not authorized to receive that data. Data leakage may occur
when data is being transferred (data in transit) or when data is stored
(data at rest). Data leakage may occur when data is audited or
processed.
T04 Denial of service Denial of service happens when an attacker takes control of all available SPI
resources. Thus, the system cannot satisfy any request from other
legitimate EPU users due to resources being unavailable.
T05 EPU data A web cloud application falls into two parts: an application component S
manipulation operated somewhere in the cloud, and a browser component running
within the EPU user organization. Web applications are attacked by
manipulating data sent from the cloud-based application component to
the server’s application. For example, metering and billing data
manipulation and billing evasion are high-priority targets.
T06 VM escape The object of this threat is to exploit the hypervisor to take control of I
the underlying infrastructure
T07 VM hopping When a VM can gain access to another VM by exploiting some hypervisor I
vulnerability, which allows remote attacks and malware to compromise
the VM’s separation and protections, making it possible for an attacker
to gain access to the host computer, the hypervisor and other VMs, in
addition to being able to jump from one VM to another.
89
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
T08 Malicious VM An attacker who creates a valid account can create a VM image I
creation containing malicious code such as a Trojan horse and store it in the
cloud provider’s repository.
T09 Insecure VM Live migration of virtual machines exposes the contents of the VM state I
migration files to the network. Given this exposure, an attacker can:
a) Access data illegally during migration,
b) Transfer a VM to an untrusted host, and
c) Create and migrate several VM causing disruptions or denial of
service.
T10 Sniffing/spoofing A malicious VM can listen to the virtual network or even use add ress I
virtual networks registration protocol spoofing to redirect packets from/to other VMs.
T01 V01 An attacker can use a Identity and access management guidance
stolen account to get including dynamic credentials and ABAC/RBAC
access to the target’s management.
resources NOTE Dynamic credential changes its value once
an EPU user changes its location or when a
certain number of data packets have been
exchanged.
T02 V03a, V03c Data from shared cloud- Specify destruction strategies on service-level
based hard drives cannot agreements.
be completely removed.
T04 V01, V02 Attacker requests more Cloud providers can force policies to offer limited
computational resources, computational resources.
so other legal EPU users
are not able to get
additional capacity.
T06 V06a, V06b Zero-day exploit in the TCCP trusted cloud computing centre and trusted
hyperVM virtualization virtual data centre. TCCP adds a trusted virtual
application. machine monitor and a trusted coordinator. A
trusted virtual data centre insures isolation and
integrity in cloud environments.
NOTE see (55) (56) for an expanded discussion
of possible incidents and countermeasures.
T07 V04b, V06b Security flaws in most Future research is needed to develop an effective
virtual machine monitors. countermeasure.
NOTE see (57) for an expanded discussion of
possible incidents and countermeasures.
90
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
T08 V05a, V05b An attacker can create a One countermeasure approach is to include the
VM image containing following security features: access control
malware and publish it in framework, image filters, a provenance tracking,
a public repository. and repository maintenance services.
NOTE 1 filters may not be able to scan all
malware or remove all sensitive data from the
images.
NOTE 2 running these filters may raise privacy
concerns because they have access to the content
of the images which can contain EPU’s
confidential data.
T09 V04d Attacks against VMware Use a secure migration framework that preserves
virtualization products. integrity and privacy during and after migration.
NOTE assess the impact of added downtime and
migration time due to encryption and decryption.
T10 V07 Attackers sniff and spoof Implement a virtual network model composed of
virtual networks. three layers: routing layers, firewall, and shared
networks, which can prevent VMs from sniffing
and spoofing.
NOTE see (58) for and expanded discussion of
incidents and countermeasures.
Utilities are finding a variety of business areas and applications that are strong candidates for
cloud technologies:
Respondents to the survey identified their top concerns on the way to using the cloud.
Beginning with the highest concern, the top five are:
91
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Demand response for fast Data-centric communication Develop a demand SaaS & PaaS (62)
response times in large model, or a topic-based group response model that
scale deployment; known as communications model will facilitate both large
cloud-based demand and small-scale
response (CDR) networks.
Peak demand and dynamic Incoming jobs are scheduled to Unknown SaaS & PaaS (63)
pricing be executed according to the
available resources, job priority,
and other applicable
constraints using cloud
applications
Micro-grid management Infrastructure and power Unknown IaaS, SaaS & PaaS (64)
management modules are used
for task scheduling and micro-
grid power management,
respectively.
Real-time monitoring Rapidly integrate and analyse Requires an effective IaaS, PaaS & SaaS (65)
information streaming from privacy policy,
multiple smart meters procedures, and
simultaneously, in order to organizational
balance the real-time demand directives.
and supply curves
Power monitoring and early Perform resource Requires a proactive SaaS (66)
warning system management, task cloud energy
management, and security management method
management using SaaS that will give an early
applications. warning system to the
micro-grids
92
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
Too many external cybersecurity threats are beyond the EPU’s control. Nevertheless, EPU
stakeholders must have the means to visualize and explain requirement violations to facilitate
diagnosis and provide timely corrective action. In most cases this requires the ability to support
cross-system and cross-technology instrumentation and analysis of event data. If these data
are securely stored in cloud computing repositories, they can be downloa ded and replayed
using existing simulators to re-enact what happened. Multiple stakeholders and support
contractors (particularly those who are not co -located) have a crucial role in this analysis, and
a secure means must be provided to facilitate their co llaboration.
One critical capability is the need for identity and access management as a service (IDaaS). In
September 2016, Gartner published a list of commercially available products that provide these
capabilities (64). They evaluated 18 solution providers using 11 critical capabilities and three
common use cases: workforce to service SaaS, business -to-consumer, and tradition/legacy
workforce. Simulators used for playback must be configured for specific applications. Therefor e,
the solution provider must provide dedicated support for on -premise applications. On-premise
applications are installed and run on computers on the premises (in the building) of the person
or organization using the software, rather than at a remote faci lity.
Hybrid cloud architecture scenarios arise when an EPU decides for cost, security, and other
reasons to keep some portion of its operations physically housed on site, while making use of
resources provide outside of the organization for other features (65). Thus, for most EPU
operations, (e.g., simulators for replay) the solution must support a cyber -secure hybrid cloud-
based architecture.
One example use case is the Brooklyn (US) microgrid project, where the neighbours use the
ethereum 30 version of blockchain to sign smart contract and trade solar energy directly among
them to increase the resiliency and efficiency of the grid. In their model end users interact
directly with the grid and calculations are allocated across all participating member devices.
30 Ethereum is a public blockchain-based distributed computing platform, featuring smart contract functionality. It
provides a decentralized virtual machine, the Ethereum Virtual Machine (EVM), that can execute peer-to-peer
contracts using a cryptocurrency called ether.
93
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
This is an incentive-based approach based on market values of energy 31. With the transposition
of transactive energy concepts in the energy market, interaction of the operational technology
components in the energy grid will have to interact through cloud -based services.
The basic idea is that Client violates an access control security policy, which requires that
access control privileges should be denied. When the issue is resolved, the access control
privileges need to be reinstated. Automation of th e process to detect, deny access, and
reinstate access is the objective. A high-level overview of the framework and access control
process is shown in Figure 15.
94
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREAT TO THEIR CRITICAL INFRASTRUCTURE
95