GridEx II / GridSecCon Update

Grid Security Exercise / Grid Security Conference 2013

Brian M. Harrell, Associate Director of CIP Programs CIPC March 6, 2013

GridEx II Overview NERC will host GridEx 2013 on November 13-14, 2013 North American wide distributed-play exercise Executive policy trigger table top exercise on 14 November

RELIABILITY | ACCOUNTABILITY

GridEx II Objectives
GridEx II Objectives
1

Validate the current readiness of the electricity industry to respond to a security incident, incorporating lessons learned from GridEx 2011 Assess, test, and validate existing command, control and communication plans and tools for NERC and its stakeholders

Identify potential improvements in physical and cybersecurity plans, programs, and responder skills

Evaluate senior leadership policy doctrine and triggers in response to major grid reliability issues

RELIABILITY | ACCOUNTABILITY

GridEx II Participants

CIPC Grid Exercise Working Group

Core group of approximately 10 planners committed to a sustained scenario development effort Available for planning conferences and regular exercise design teleconferences Leaders of full player organizations that attend planning conferences, provide scenario feedback and orient players Provided opportunity to shape after action findings Players that will be fully engaged in the exercise, responding to all relevant injects and coordinating activities across the player set Fully player organizations generally engage in the planning process with sufficient time to orient players Entities that are not fully engaged in the GridEx planning process but express an interest in participating and gaining visibility into the exercise Monitor/Respond entities can receive injects, exercise internal processes and participate in coordination calls

Planners

Full Players

Monitor/Respond Players

RELIABILITY | ACCOUNTABILITY

CIPC Grid Exercise Working Group

Scenario Imperatives
Broad Relevance and Application Cyber and Physical Vectorswith Extended Conditions Highlights Timely Vulnerabilities and Issues

Given the diverse player set, the scenario should have far-reaching application that can exercise the plans and processes of all players Must test policy implications

Scenario must feature cyber & physical attacks that engage a range of security staff Feature prolonged blackout, potentially to be played in TTX

Must feature current concerns and challenges facing industry To avoid one-size-fitsall, can craft several scenario workstreams for entities to select from

RELIABILITY | ACCOUNTABILITY

GridEx II Timeline

C&O Meeting (February)

IPC (March 26) Initial Planning Phase Initiate outreach Shape scenario themes Confirm exercise mechanics

MPC (June 4) Mid-term Planning Phase Craft scenario narrative Develop materials Confirm participation

Execute GridEx II FPC (October 1) (November 13-14) Final Planning Phase

Finalize MSEL Conduct training Distribute player materials Set up venue and logistics

Deliver Final Report (Q1 2014)

Kick-Off

Conduct

After Action

Confirm goal & objectives Finalize timeline Discuss outreach goals/plan

Oversee distributed play Facilitate senior TTX Capture player actions and findings

Analyze findings and lessons learned Draft After Action Report and Briefing

RELIABILITY | ACCOUNTABILITY

Operational and Discussion Based Play

Distributed Exercise (2 days)

Players across the stakeholder landscape will participate from their local geographies Utilities Regional Injects and Entities info sharing
by email and phone

Executive TTX (1/2 Day) Exercise Control Oversees exercise play & facilitates interactions between exercise modules Discussion-based construct engages senior decision makers in assessing distributed play and exploring policy triggers
Executive TTX

Federal Agencies

Control System Vendors

NERC BPSA & ES-ISAC

RELIABILITY | ACCOUNTABILITY

Mature scenario in written form that features key events, timing and expected player actions

Scenario Narrative:

Developed by CIPC Working Group to meet objectives and engage player set

Inject #1 11/16: 0830

Inject #2 11/16: 0900

Inject #3 11/16: 0915

Individual injects (or pieces of information) derived from scenario narrative for release to players

Players respond to injects through info sharing efforts, interaction with ExCon and other players

Exercise Play
ExCon and C/Es observe and capture interactions and craft dynamic injects as needed

RELIABILITY | ACCOUNTABILITY

Current level of interest

RELIABILITY | ACCOUNTABILITY

Compliance Concern

Possible Benefits PER training credits for operators CIP-008 exercise opportunity of Incident Response Plan Possible CIP-009 test opportunity Possible EOP-008 test opportunity CIP-001 exercise opportunity of reporting to local and state FBI EOP-004 procedure test opportunity OE-417 test reporting opportunity Utilize lessons learned to perform annual updates Test internal communications and notification lists

If we play and identify a weakness due to non-compliance If we do not perform an expected player action that is in our procedures do we self report Legal teams not comfortable with submittal of data to NERC, ESISAC, law enforcement

10

RELIABILITY | ACCOUNTABILITY

Event

Transmission Operations Generation Operations Energy trading Field operations Tech service Communication & control OT teams Corporate IT Physical Security Major Accounts Executive Leadership Corporate communications State and local law enforcement
11

Large conference room 40 50 Players 4-5 planners on site to coordinate and facilitate Utilize tools, DTS, QAS, Communications tools, reporting, IRP, physical security Utilize scenario activity gaps to whiteboard current status (war room simulation activity) Project and display scenario videos, all player injects and talk about how your organization would have seen the injects and who they would have communicated to.
RELIABILITY | ACCOUNTABILITY

GridSecCon 2013
Grid Security Conference 2013 October 15-17, 2013 Jacksonville, Florida Day 1 Full day of training covering emerging topics Cyber and physical security Day 2-3 Full agenda highlighting recent policy changes, cyber attacks, security convergence and response/recovery

12

RELIABILITY | ACCOUNTABILITY

13

RELIABILITY | ACCOUNTABILITY