Cyber Event and Cyber Security Incident Reporting
11 Slides147.06 KB
Cyber Event and Cyber Security Incident Reporting Requirements November 16, 2022 John Graminski Senior Cyber Security Specialist
Cyber Definitions Cyber event: A disruption on the electrical system or communication system(s) caused by unauthorized access to computer software and communications systems or networks including hardware, software, and data (DOE-417 Instructions, Page 8). Cyber Security Incident: A malicious act or suspicious event that: o For a high- or medium-impact BES Cyber System, compromises or attempts to compromise (1) an Electronic Security Perimeter, (2) a Physical Security Perimeter, or (3) an Electronic Access Control or Monitoring System; or o Disrupts or attempts to disrupt the operation of a BES Cyber System (NERC Glossary, Page 10). Reportable Cyber Security Incident: A Cyber Security Incident that compromised or disrupted: o A BES Cyber System that performs one or more reliability tasks of a functional entity; o An Electronic Security Perimeter of a high- or medium-impact BES Cyber System; or o An Electronic Access Control or Monitoring System of a high- or medium-impact BES Cyber System (NERC Glossary, Page 10). 2
Form DOE-417 Cyber Reports Emergency Alert (Boxes 2 & 3): Required within one hour of: A Reportable Cyber Security Incident (Box 2); or A cyber event that is not a Reportable Cyber Security Incident that causes interruptions of electrical system operations (Box 3). Normal Report (Box 11): Required within six hours of a cyber event that could potentially impact electric power system adequacy or reliability. Attempted Cyber Compromise (Box 14): Required within one day (by the end of the next calendar day) of a Cyber Security Incident that was an attempt to compromise a high- or medium-impact BES Cyber System or its associated Electronic Access Control or Monitoring Systems (EACMS). 3
Form DOE-417 Additional Information For cyber events, including attempted cyber compromises: Identify the type of cyber event by selecting one or both checkboxes (Schedule 1, Box K. Cause): Cyber event (information technology)—defined as a cyberattack on the business systems/networks that impacts an electrical service. Cyber event (operational technology)—defined as a cyberattack on systems/networks of industrial control systems (ICS) including Supervisory Control and Data Acquisition (SCADA) and other control system configurations. Provide the following attributes at a minimum (Schedule 2, Box T. Narrative): The functional impact; The attack vector used; and The level of intrusion that was achieved or attempted. 4
Form DOE-417 Additional Reporting Form DOE-417 has provisions to forward reports to: o NERC o E-ISAC o CISA Central (NCCIC) Check the appropriate box(es) at the bottom of the form. Does not provide evidence of compliance with CIP reporting requirements. Please check the “Notify NERC” box and email a copy of the completed form to WECC ([email protected]) or send securely through your WECC account (https://www.wecc.org). 5
CIP-003-8 CIP-003-8 Attachment 1, Section 4—Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include: o Section 4.2—Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to E-ISAC, unless prohibited by law. Responsible Entities are required to notify E-ISAC of any Reportable Cyber Security Incidents involving applicable low-impact BES Cyber Systems, unless prohibited by law. Associated with Form DOE-417, Emergency Alert, Box 2—Reportable Cyber Security Incident. 6
CIP-008-6 CIP-008-6 R4—Each Responsible Entity shall notify E-ISAC and NCCIC, or their successors, of a Reportable Cyber Security Incident or a Cyber Security Incident that was an attempt to compromise a high- or medium-impact BES Cyber System and their associated EACMS, unless prohibited by law. Associated with Form DOE-417: o Emergency Alert, Box 2—Reportable Cyber Security Incident o Attempted Cyber Compromise, Box 14—Cyber Security Incident that was an attempt to compromise a high- or medium-impact BES Cyber System or associated EACMS 7
CIP-008-6 (Continued) CIP-008-6 R4, Part 4.1—Initial notifications and updates shall include the following attributes, at a minimum, to the extent known: o Part 4.1.1 The functional impact; o Part 4.1.2 The attack vector used; and o Part 4.1.3 The level of intrusion that was achieved or attempted. Associated with Form DOE-417, Schedule 2, Box T—Narrative. 8
Associated CIP Standards Summary Form DOE-417 Cyber Reports Box 2—Emergency Alert: Reportable Cyber Security Incident. Associated CIP Standards CIP-003-8, Attachment 1, Section 4.2: Notify E-ISAC CIP-008-6 R4, Part 4.1: Notify E-ISAC and NCCIC (CISA Central) Box 14—Attempted Cyber Compromise: Cyber Security Incident that was an attempt to compromise a high- or medium-impact BES Cyber System or associated EACMS. Box T—Narrative: For cyber events, including attempted cyber compromises, provide the following attributes (at a minimum): (1) the functional impact, (2) the attack vector used, and (3) the level of intrusion that was achieved or attempted. CIP-008-6 R4: Notify E-ISAC and NCCIC (CISA Central) CIP-008-6 R4, Parts 4.1.1, 4.1.2, 4.1.3: Notify E-ISAC and NCCIC (CISA Central) 9
References Form DOE-417, Electric Emergency Incident and Disturbance Report, OMB No. 1901-0288. Available: https://www.oe.netl.doe.gov/docs/OE417 Form 05312024.pdf. Form DOE-417 Instructions, OMB No. 1901-0288. Available: https://www.oe.netl.doe.gov/Docs/OE417 Form Instructions 05312024.pdf. Glossary of Terms Used in NERC Reliability Standards, March 29, 2022. Available: https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary of Terms.pdf. Steps for Uploading a Brief Report. Available: https://www.wecc.org/ layouts/15/WopiFrame.aspx?sourcedoc /Administrative/Steps%20for%20Uploading%20a %20Brief%20Report.pdf&action default . NERC CIP-003-8 – Security Management Controls. Available: https://www.nerc.com/ layouts/PrintStandard.aspx?standardnumber CIP-003-8&title Cyber%20Security%20%E2% 80%94%20Security%20Management%20Controls&Jurisdiction United%20States . NERC CIP-008-6 – Incident Reporting and Response Planning. Available: https://www.nerc.com/ layouts/PrintStandard.aspx?standardnumber CIP-008-6&title Cyber%20Security%20%E2% 80%94%20Incident%20Reporting%20and%20Response%20Planning&Jurisdiction United%20States 10
Contact: John Graminski [email protected] 11