PROJECT 07-07 | NOVEMBER 2008

Cyber E-Handbook

PROJECT 07-07

Cyber Security E-Handbook

Prepared by Randall R. Nason, PE C.H. Guernsey & Company 5555 North Grand Blvd Oklahoma City, OK 73112 www.chguernsey.com and David Greer, Executive Director Institute for Information Security University of Tulsa Tulsa, OK 74104 www.utulsa.edu and Jerald Dawkins, Ph.D., President True Digital Security 5110 S Yale Ave, Suite 310 Tulsa, Oklahoma 74135 www.truedigitalsecurity.com

for National Rural Electric Association Cooperative Research Network 4301 Wilson Boulevard Arlington, Virginia 22203 The National Rural Electric Cooperative Association The National Rural Electric Cooperative Association (NRECA), founded in 1942, is the national service supporting more than 900 electric and public power districts in 47 states. Electric cooperatives own and operate more than 44% of the distribution lines in the nation and provide power to 12% of the population.

© Cyber Security E-Handbook Copyright © 2008 by The National Rural Electric Cooperative Association. Reproduction in whole or in part is strictly prohibited without prior written approval of the National Rural Electric Cooperative Association, except that reasonable portions may be reproduced or quoted as part of a review or other story about this publication.

Legal Notice This work contains findings that are general in nature. Readers are reminded to perform due diligence in applying these findings to their specific needs, as it is not possible for NRECA to have sufficient understanding of any specific situation to ensure applicability of the findings in all cases.

Neither the authors nor NRECA assume liability for how readers may use, interpret, or apply the information, analysis, templates, and guidance herein or with respect to the use of, or damages resulting from the use of, any information, apparatus, method, or process contained herein. In addition, the authors and NRECA make no warranty or representation that the use of these contents does not infringe on privately held rights.

This work product constitutes the intellectual property of NRECA and its suppliers, as the case may be, and contains confidential information. As such, this work product must be handled in accordance with the CRN Policy Statement on Confidential Information.

Contact: Randall R. Nason, PE David Greer, Executive Director Jerald Dawkins, Ph.D., President C.H. Guernsey & Company Institute for Information Security True Digital Security 5555 North Grand Blvd University of Tulsa 5110 S Yale Ave, Suite 310 Oklahoma City, OK 73112 Tulsa, OK 74104 Tulsa, Oklahoma 74135 Phone: 405.416.8213 Phone: 918.631.6525 Phone: 866.430.2595 e-mail: [email protected] e-mail: [email protected] e-mail: [email protected] Contents – iii

contents

Executive Summary vii

Section 1 Cyber Security and Electric Cooperatives 1 The Why and How of Cyber Security 1

Section 2 Cyber-Security Primer 5 Dimensions of Security 5 Engineering for Security 6 Security Controls 7

Section 3 Protecting Electric Cooperatives’ Systems 17 Safeguarding Workstations, Laptops, and Desktops 17 Defending the Network 23 Protecting Information Services 33

Section 4 Protecting Electric Distribution Control Systems 35 SCADA Systems 35 Attacks on SCADA Systems 36 Security for SCADA Systems 38 Security Questions and Recommendations for SCADA Systems 40

Section 5 Roadmap: Cyber-Security Framework and Standards 43 Critical Infrastructure Protection 43 INFOSEC Guidelines for the Utility Industry 45 Cyber-Security Framework 47

Appendix A Description of NERC Cyber-Security Standards (CIP-002–009) 51

Appendix B Glossary of Terms 55

Appendix C References 59

Appendix D Abbreviations 61 iv – Illustrations illustrations

FIGURE PAGE

A.1 Security and Cyber Security Architecture and Protection vii

3.1 Typical Firewall Hardware Device—Barracuda Firewall 25

4.1 SCADA System Attack Entry Points 36 Tables – v

tables

TABLE PAGE

2.1 Devices for Physically Securing Computer Equipment 12 (Prices subject to change)

3.1 Firewall Devices 26 3.2 Common Firewall Traffic 27

4.1 SCADA Vulnerabilities as Reported by the DoE 37

Executive Summary – vii

executive summary

lectric cooperatives face a range of informa- operational, and managerial controls to create Etion security threats, from computer crimi- layered defenses for an information system. nals seeking social security numbers (SSNs) on The diagram below, Figure A.1, illustrates the corporate networks to cyber terrorists aiming to major elements and considerations of a cyber- take down the power grid by attacking a control security program for electric cooperatives. A net- network. Defending against such threats means work must strategically apply security solutions building a cyber-security program that mitigates such as firewalls, virtual private networks (VPNs), , addresses compliance and regulatory re- and intrusion-detection systems. Security controls quirements, and results in streamlined operations must also reside on desktops, personal comput- and increased productivity. ers (PCs), and laptops to protect the data that The objective of this handbook is to introduce rest on them. Antivirus software, hard-drive en- basic concepts and technologies of cyber secu- cryption, and access-control systems all support rity, and offer guidance for protecting modern defense in depth. At the application level, data- electric cooperatives. Cyber security is a cyclic bases, messaging programs, and e-mail systems - process protecting information demand their own specific security solutions. systems in four dimensions: confidentiality, in- Supervisory control and data acquisition (SCADA) tegrity, availability, and nonrepudiation. A ro- systems, which provide real-time control and bust security program integrates technical, monitoring of electric distribution systems, create

Network & Bus Applications: •Passwords + Wireless •PCI Compliance + DMZ •Int. Vulnerability Scan Cyber Security: SCADA: •Internet/Extranet •Live Data Access •Firewalls + Appliances •Remote Access •Ext. Vulnerability Scan •Historical Data Access •Patch Mgmt. •Control vs Monitoring •Intrusion Detection + •Compliance Agencies Intrusion Prevention •Network Firewall (IDS/IPS) •PC Firewall •Honey Pots •Anti-Virus

Other: : Security & Cyber •Back-up + Restoration • + Logs Security Architecture •Internet •Video Cameras & Protection: •Separation of Duties •Climate Control •Layered Protection •Security Administration •Back-up Power •Tech Architecture •Security Administration (UPS + Generator) (Diagrams & Docs) Staff Certification •Fire Suppress

Desktop & Files: Messaging: •Identity Theft •E-mail + Attachments •Phishing •Instant Messaging (IM) •Data Theft (Internal & External) •Flash/Thumb Drives Controls: •Spyware + Ad-ware •Technical •Spam •Operational •Managerial • •Logs

FIGURE A.1: Security and Cyber-Security Architecture and Protection. viii – Executive Summary executive summary

special security challenges. Their time and mis - components of a security plan that keeps sion criticality, coupled with the trend for greater out of the wrong hands. remote access and historically weak security, A robust cyber-security program is more than make SCADA systems attractive targets for cyber a collection of techniques and technologies thrown terrorists. SCADA security calls for protecting ex - together in defense of a network. A sustainable ternal connections through strong authentica - program must bind these into a cohesive frame - tion, engaging application-level access controls, work driven by risk and compliance, and sup - and implementing routine patch management. ported by assessment and training. A security Technical controls must be supported by op - program is shaped by its organizational risk and erational controls such as patch management regulatory requirements. Security assessments and vulnerability scans to be effective. Manager - and audits guide the intelligent development of ial controls such as separation of duty policies a strategic security plan. Ultimately, however, a and training programs support both—and thus security program is built on a culture supported ensure that systems and procedures are imple - by training and education. This handbook intro - mented systematically. Physical security is criti - duces these necessary ingredients and provides cal as well. Video cameras, security guards, door the recipe for a successful cyber-security pro - locks, and fire-suppression systems are vital gram for electric cooperatives.

Cooperative Checklist

Electric cooperatives vary greatly in size. As a 8. File protection result, information technology (IT) resources 9. Spam protection and needs vary greatly across cooperatives. 10. Corporate security policy The following are some tips to concentrate ef - forts on the most important aspects of cyber Top 10 items for SCADA networks security to get the greatest return for the time 1. Gateway firewall and effort spent. 2. Backup and disaster recovery plans 3. Remote access control Top 10 items for corporate networks 4. SCADA application hardening 1. Gateway firewall 5. Virus scan/spyware blocker 2. Server virus scan/spyware blocker 6. Patching 3. Desktop virus scan/spyware blocker 7. SCADA database security 4. Gateway virus scan/ spyware blocker 8. SCADA network auditing 5. Patching 9. Accurate time source 6. Backup and disaster recovery plans 10. SCADA network security policy 7. Desktop firewalls Cyber Security and Electric Cooperatives – 1

Cyber Security and 1 Electric Cooperatives

In This Section: The Why and How of Cyber Security

Electric cooperatives rely on computer systems electronic data even more important for modern and networks to serve members, run company electric cooperatives. transmission and distribution systems, and stream - The objective of this handbook is to introduce line vital business processes. Employees and basic concepts and technologies of cyber secu - contractors need remote access to the company rity, and to apply these concepts of protecting systems, while crews communicate with devices digital systems to modern electric cooperatives. in the field. Paying bills and initiating service or - The reader should come away with an aware - ders online are increasingly common practices. ness of core security principles and an under - The Internet and e-mail have become funda - standing of the application of these principles to mental components of a cooperative’s business information systems, particularly to systems in communications infrastructure. These considera - the electric utilities industry. tions make securing information systems and

The Why and How The main goal of cyber security is to protect dig - risk-management process is actually a never-end - of Cyber Security ital information resources and services. But se - ing cycle of assessment, planning, and implemen - curity objectives can be motivated by a number tation. Risk assessment—which drives planning of drivers. Regulatory pressures and industry and implementation—must be repeated as tech - standards can influence security, as can the nology, threat, and mission change. A comprehen - adoption of new technologies or the recognition sive cyber-security plan complements technical so - of new threats. Organizational policy or philoso - lutions with policies, procedures, and training . The phy may also shape a cyber-security effort. The security plan combines the system-development integration of a specific security countermeasure process with the integration of security engineer - may be a reaction to a particular event. Regard - ing principles and practices. The implementation less, an electric cooperative that implements a of a cyber-security plan should incorporate met - robust and well-conceived cyber-security plan rics or rules that quantitatively and periodically may find exposure and risk reduced as well as measure the performance of the plan. productivity and operations streamlined. Cyber security is an exercise in risk manage - RISKS TO ELECTRIC COOPERATIVES ment that should harmonize with other business Any company or organization that relies on processes in the enterprise. The cyber-security computers and networks to process, store, and 2 – Section 1 1

communicate information vital to the organiza - millions of affected parties). The increasingly tion’s mission has some security risk. Electric co - mobile nature of data on networks, laptops, and operatives are no different. Electric cooperatives, thumb drives makes identity-theft prevention a stakeholders, and customers can experience dis - real challenge for security professionals. astrous results such as losing access to critical data, losing control of sensitive documents, or Less publicized security events can be just as making decisions based on corrupted informa - devastating. Handling an incident inevitably tion. Some risks can be mitigated by a security causes a loss in productivity, as information ser - plan or transferred by insurance (for example, vices are shut down and resources are diverted Internet insurance), while others must be toler - to damage control and containment. The attacks ated as acceptable. that escape unnoticed can be worse, doing un - There is no shortage of headlines that high - told damage to electric cooperatives. light the hazards of living and working in a digi - tal world. Cases of identity theft, intrusions on Corporate espionage. Intellectual property is corporate and government networks, and the the crown jewel of any organization. Digital endless parade of Internet worms and viruses documents stored on networks are tempting tar - dominate the popular consciousness of a tech- gets for the cyber criminal who may realize the savvy society. Our dependence on information documents’ intrinsic value. Corporate espionage technology (IT) heightens the anxiety we feel occurs on a scale much wider than is reported about the potential to fall prey to one of these by the media. attacks. To compound matters, keeping major breaches out of the newspaper is increasingly Warez rings. Subverted systems can be used to difficult for stakeholders. These breaches can house and distribute warez —illegal copies of damage public confidence and reputation. Un - software, movies, and music. Warez rings can be fortunately, this reality holds true for modern operated covertly by employees, or can be run electric cooperatives. remotely by hackers who have penetrated a cor - porate network. Worms and viruses. Virus and worm attacks on the Internet are typically large-scale events, but REWARDS OF A CYBER-SECURITY PROGRAM have become so commonplace that, in the ab - The obvious benefit of a cyber-security pro - sence of some novel characteristic or feature, gram is incident prevention. In addition, other they no longer command the public spotlight. rewards exist that create incentives for investing Still, the potential for damage caused by self- in the development of such a program. These replicating software unleashed on a mission-crit - rewards are varied in scope and nature, and ical network is a major concern for cyber-securi - ulti mately allow an electric cooperative to fulfill ty professionals. its mission. Accordingly, the beneficiaries of a mature se - Denial of service attacks. Attacks that flood a curity plan and implementation range from the system with legitimate traffic, or with maliciously CEO to the customers. Solid security is analo - crafted payloads intended to disrupt a data service gous to a healthy immune system—the immune are called Denial of Service (DoS) attacks. Pre - system prevents and limits the damage to the vention of DoS attacks is difficult, but a compre - body caused by disease and, at a higher level, hensive cyber-security program can incorporate promotes an active and better-functioning body. strategies to limit the impact of such an attack. A robust security posture induces far less liabili - ty for breaches that do occur, and the natural Identity theft. The loss or compromise and sub - consequence of a system designed to function sequent misuse of personal information define efficiently in the face of attack is increased pro - identity theft . Such theft typically makes headlines ductivity and superior performance. Most impor - when it occurs on a large scale (for example, with tantly, an IT department that is not constantly Cyber Security and Electric Cooperatives – 3 1

“putting out fires” has much more success in ex - all affected employees. Moreover, a poorly de - ploiting new opportunities to enhance operations. veloped plan, which enables an incident, may result in a reactionary security posture that un - Damage containment. A sound cyber-security duly limits system functionality. program will shape a rapid and effective re - sponse to an incident that contains damage and Better system performance. A network or system thus minimizes the impact of an attack. The re - protected by a comprehensive cyber-security sult of effective damage containment is less plan suffers less downtime due to attacks. Annoy - costly incident handling and quicker recovery. ances such as spyware and spam are better con - tained, yielding improved system performance. Limited liability. An electric cooperative that es - tablishes best practices in cyber security as a Enterprise agility. An information infrastructure baseline for performance enjoys the residual that enjoys the benefits of a robust cyber-secu - benefit of limited liability if an attack occurs. By rity program is better poised to exploit new establishing such a baseline, an organization ex - technologies. An electric cooperative with a ercises legally defensible reasonable care and solid security program is less distracted by due diligence in the protection of digital assets. putting out fires and can dedicate greater re - sources toward strategic technology planning. Increased productivity. Incident handling, es - The intelligent and aggressive adoption of new pecially when managed poorly, does not come technologies is critical for the competitive digital without a cost in terms of enterprise productiv - enterprise, enabling new economies of scale for ity. The security incident disrupts the routine of business production and operational processes.

Cyber-Security Primer – 5

2 Cyber-Security Primer

In This Section: Dimensions of Security Engineering for Security Security Controls

This section introduces the universal prin- The concepts and principles discussed in this ciples and concepts of cyber security that chapter are universal in the sense that they apply a cooperative must master to field a secure to virtually any kind of information system or net- system. Cooperatives must understand the work an enterprise seeks to deploy. The appli- four basic dimensions of security: confi- cation of specific controls may vary from system dentiality, integrity, availability, and to system, but the underlying themes remain the nonrepudiation; security engineering; same. Knowing them will reveal common pat- and technical, operational, and managerial terns in security architectures between, for ex- security controls. ample, SCADA systems and corporate networks.

Dimensions The goals for protecting information systems, satisfying security properties in four basic dimen- of Security services, and resources can be considered as sions; confidentiality, integrity, availability, and nonrepudiation. Thus, any security control or countermeasure should help meet an objective for Core Security Properties an IT in one or more of these dimensions. SCADA systemsConfidentiality. provide This property Availability. Availability provides real-time controlpreserves and the secrecy of sensitive for the uninterrupted and timely Tips and Takeaways monitoring ofinformation, electric guaranteeing that delivery of information services distribution systems.only authorized Ac- users are permit- and ensures that authorized users Challenge vendors to explain services and cording to IEEEted toStandard view protected data. are able to access data as needed. products in terms of their core security 1402-2000, Guide for properties. Electric PowerIntegrity. SubstationThe two forms of this Nonrepudiation. Nonrepudiation Physical andproperty Electronic over data are origin in- creates user accountability and at- Security, “thetegrity introduc- and content integrity. Ori- tribution for all actions in an in- tion of computergin integrity systems guarantees the formation system. Nonrepudiation with online accessauthenticity to of the data’s creator, is perhaps the most overlooked substation informationwhile content is integrity ensures (yet a critical) property of infor- significant inthat that data substa- has not been modified mation security. tion relay protection,in an unauthorized manner. control, and data collec- tion systems may be ex- posed to the same vul- 6 – Section 2 2

Engineering Security is a risk-management process. The implementation activities in the system-engineer- for Security process begins with the consideration of security ing process. System-development methodologies requirements in the design of an information that ignore security result in vulnerable solutions system or IT solution. The process continues that must be retrofitted with security controls, with the full integration of security design and often with unsatisfying results. Security concerns with internally developed Secure Design Principles electric cooperative software underscore why engineering for security—on the front end— Economy of mechanism. A simple design is essential because complex is important. Many times internally developed systems often host latent exposures. Concise design and implementa- electric cooperative software applications are not tion allow both fewer access paths and easier inspection. designed for security because there is no current plan to share these applications externally. As Fail-safe defaults. In any large system, denial of access by default an electric cooperative’s needs grow, however, allows for secure operations and access paths: permissions can then applications are often shared with other groups be added as necessary. Permission errors in a fail-by-default system are including other users inside the electric coop- easily noticed by enabling effective troubleshooting and maintenance erative, member electric cooperatives, and procedures. even customers. Many times these internally Complete mediation. Complete mediation guarantees that security developed applications have to be completely controls are universally applied to all subjects and objects in the redesigned to address built-in security flaws. intended domain. For example, a system that authenticates every Designing and creating a file system on a file user log-in respects this property. server is a common example of how engineering for security is important. Some cooperatives Open design. Open design dictates that the security of a system not be create shared folders without considering what reliant upon the secrecy of controls. Adherence to this principle allows groups will need access to these folders. As data security mechanisms to be reviewed openly without risk to the system. needs to be shared with more people, the sys- The presumption of code or algorithm secrecy should never be relied tem administrator has to assign individual rights upon to protect software or data, and no system should depend on or redesign the file system. Whenever a new the ignorance of attackers for security. process is put in place, a cooperative should Separation of privilege. This design principle results in multiple always ask the questions “How can the electric controls over system resources. Multiple keys or required conditions cooperative set up the process so it starts secure for access afford additional protection against attacks. and remains secure?” and “Who will need access to this process now and in the future?” Asking Least privilege. Employees should only be able to access the infor- these security questions up-front will save time mation necessary to complete the employees’ job function, limiting the and effort in securing the process. potential for errors or misuse of privileges. Constraining user privilege SCADA systems provide The Information System Security Engineering also reduces unnecessary interactions between privileged programs real-time control and Process (ISSEP) established within the National and the minimal levels required for operation. monitoring of electric Security Agency’s (NSA’s) Information Assur- distributionLeast commonsystems. Ac- mechanism. Sharing of programmable objects and ance Technical Framework (IATF) [1] prescribes cordingresources to IEEE among Standard multiple users should be minimized. Mechanisms the following steps for the engineering of a 1402-2000,commonGuide to formultiple users create possible information exchange that secure system: Electriccould Power compromise Substation security. Common mechanisms typically do not Physicalallow and separate Electronic levels of certification and functionality. • Discover security needs Security, “the introduc- • Define system security requirements Psychological acceptability. Security should always be easy to use; tion of computer systems • Define system security architecture otherwise employees will attempt to circumvent safeguards, rendering with online access to • Develop detailed design the security wholly ineffective. Employees will more likely abide by a substation information is • Implement system significantsecurity in that implementation substa- with automatic protection mechanisms and simple use requirements. The implementation of security and the tion relay protection, ISSEP runs parallel to the systems-development security goals of the employee should coincide. control, and data collec- life cycle. Key enablers for the ISSEP are continual tion systems may be ex- posed to the same vul- Cyber-Security Primer – 7 2

assessment, planning, and customer input. All regardless of the process, the basic design prin - system security-engineering methodologies ciples of security engineering remain the same. incorporate these basic elements. Moreover,

Tips and Takeaways

• Insist on a system-development methodol - business unit. Security can then be assigned ogy that establishes security at the outset, as to groups based on departments. As a result, opposed to adding security later. anyone in the department (but no one else!) • Know the security-engineering process for gets access to the department folder structure. every system in . • Assigning security to groups instead of • Allowing access only to the files and folders indi vidual users is a good example of the that an electric cooperative employee needs “economy of mechanism.” When security is for that job function is one example of denied by default and then enabled by applying the “least privilege concept.” This group, all the administrator has to know is access can be accomplished by creating what group a user is in to know what access folder structures based on department or the user has to the system.

Security Controls Security controls are those elements within an resources, detecting attacks, and authenticating enterprise that help meet objectives for protect - users. Ultimately, the service or functionality a ing IT assets by addressing identified threats. technical control provides maps back to one or Controls exist in the technical, operational, and more of the four dimensions of information se - managerial domains. While technical controls curity—confidentiality, integrity, availability, and tend to receive the most attention, operational nonrepudiation. and managerial controls are equally vital to pro - Technical controls are often built in to newer tecting the digital enterprise. For example, en - generation operating systems such as Windows cryption technology is worthless without proce - 2000 and . As a result, an electric coopera - dures and policies that govern its use. tive can implement these technical controls with - Different resources on an electric cooperative’s out purchasing additional software or hardware. network require different security controls. For Implementing password protection for all users example, the electric cooperative’s SCADA/control who log in to the electric cooperative’s network system will most likely have different security con - based on a password policy is an example of trols than the rest of the electric cooperative’s net - applying a technical control based on opera - work. Applying only the security controls that are tional controls. needed based on the criticality of the resource be - Firewalls, intrusion detection/prevention sys - ing protected provides the necessary security while tems, and network architectures are examples of keeping costs low and ease of use high. Security technical controls. Technical controls tradition - is always a balance between keeping resources ally: (1) prevent or limit an attack, or (2) detect secure and allowing access required by users. and monitor one. In the former case, exerting control over data and IT resources is the objec - TECHNICAL CONTROLS tive; in the latter case, monitoring for rapid re - Technical security controls include hardware and sponse is the objective. software solutions that help enforce an organiza - Some rather unorthodox technical controls tional security policy. Technical controls function have also been used. For example, honeypots are in a variety of ways, by providing secure com - segments of a network that intentionally appear munication channels, limiting access to system vulnerable in order to draw and capture attacks 8 – Section 2 2

as an early warning and surveillance mecha - The two most prevalent forms of technical nism. Their benefit to an organization’s security controls are passwords and data encryption. In posture is currently a matter of open debate. general, they provide core services for access Honeypots may pose some risk to a coopera - control, data isolation, and integrity. As a result, tive’s network. If a honeypot is not properly iso - these controls underpin the vast majority of se - lated, an attacker can use it to break into other curity solutions and services on the market. systems on the cooperative’s network. Password protection Password-Management Guidelines One of the simplest and most effective technical controls is password-based user authentication. • Strong passwords mix upper- and lowercase alphanumeric charac - A strong password, with minimal expense, does ters, numbers, and at least one special character to minimize the much to prevent and deter attacks. The key ele - threat from brute-force cracking. ments are: (1) knowing how to create a strong • Passwords should be at least eight characters long. password and (2) ensuring the password is not • Passwords should not contain common phrases, any part of the compromised through misuse or negligence. user’s name, phone number, or birth date. For passwords to be effective, users must en - • Passwords should be changed on a periodic basis. gage in safe password-protection practices. For • Users should choose passwords that can be remembered and not example, users must never share passwords and write down passwords. should avoid any action that might expose a • Systems should limit the number of failed log-in attempts with a password such as writing the password down. lockout strategy and incorporate a short time delay for incorrect Electric cooperatives should establish password passwords to discourage password cracking. policies and guidelines for all employees and, • Default passwords should be replaced with new passwords when after doing so, must consistently enforce them. new software or equipment is installed. • Employees must log off from workstations when leaving for the day Resources: Creating Secure Passwords or for an extended period of time. • Screen-saver programs should provide automated password protec - • Ten Windows password myths: tion that can be activated when employees step away from the www.securityfocus.com/infocus/1554 computer for a short period of time. • Password tips for privacy: http://lincproject.org/toolkit/techtips/ tt_passwords.pdf Tips and Takeaways • Password tips for users: www.grace.edu/grace/gccs/documents/ • Ensure that all network and system accounts are password protected Password%20Tips.pdf and adhere to organizational policies and guidelines by conducting routine password audits. • Implement strong password rules. A strong password should be at Encryption least eight characters long using a combination of upper- and lower - Unauthorized data access is a concern for every case characters, numbers, and at least one special character. organization. Electric cooperatives that manage • Use individual passwords on shared computers. In many electric digital records containing customer data, sensi - cooperatives, 24-hour system operators share workstations. On these tive operational specifications, and secrets shared workstations, the best security practice is to have each opera - must take appropriate measures to protect such tor have a unique log-in account and password. In addition, records when the records are “at rest” or “in operators should not know each other’s passwords. transit” on an information system. Encryption is • Enforce password policies. Some newer server software, such as a powerful method for preserving the confiden - Windows 2003, implement policies to force users to create strong tiality and integrity of digital records on a system. passwords. A good practice is to enable these policies so that when The basic function of data encryption is sim - users have to change passwords, these passwords remains secure. ple: scramble information so that the information Cyber-Security Primer – 9 2

is unreadable to everyone but the authorized decryption key can read the data. The essential user. Encryption systems rely on keys (blocks properties of a decryption key are that it (1) un- of data) to encrypt and decrypt digital records. scrambles data scrambled by a corresponding Keys for encryption must scramble data in such encryption key and (2) is held securely. a way that no one but the user with the correct File encryption, which encrypts data on file systems, makes data “at rest” unreadable to any- one without the decryption key. Electric cooper- Encryption atives that store sensitive data on file systems can use encryption to preserve the secrecy of Implementing file encryption is a big step for the average electric coop- that data. The advantage of file encryption over erative to take. File encryption should be considered for sensitive data. password-based security mechanisms—at least One noteworthy aspect of encryption is that encrypted data is difficult those that do not use encryption—is that the en- to impossible to recover if the mechanism to unlock the encryption is crypted data is secure even when the computer lost. The following are some examples of encryption that electric is not running. If an attacker steals a hard drive cooperatives should consider. and performs a forensics analysis on the drive, encrypted data remains protected. 1. Encrypted communications may be required by the electric cooper- There are several tools available for encrypt- ative to use certificates for encrypted communications between the ing data. Pretty Good Privacy (PGP) electric cooperative and the International Organization for Stan- provides software for encrypting individual files, dardization (ISO). In this case encrypted communication via https entire disks, and shared data on a network via is required. Make sure that a procedure is in place for storing the PGP and GNU Privacy Guard (GnuPG or GPG) certificates in a secure location. Also make sure that all certificates (open-source) programs. BestCrypt and True- are protected by a strong password. Crypt are examples of products that allow for 2. Universal Serial Bus (USB) drives can be easily lost. If USB drives encryption of files and disks, while ShareCrypt must be used in day-to-day operations, then encrypting these is an example of a cryptosolution that handles drives is a good idea. network data. 3. Password vaults are another use of encryption that can directly Encryption can also be used to secure com- benefit electric cooperatives. A password vault uses a password- munications (data “in transit”), including net- protected encrypted file to store passwords. Electric cooperatives work traffic generated by e-mail and instant can use a password vault such as KeePass to store passwords for messaging (IM). PGP provides tools to transpar- routers, switches, administrator accounts, automatic services, Energy ently support encryption for both of these types Management Systems (EMS) log-ins, and databases as well as online of services, and many open-source clients (such SCADA systemssupport provide passwords. The encrypted password file can then be stored as Mozilla Thunderbird and Pidgin IM) provide a real-time controlon anda USB drive and put in a fireproof safe or stored in a secure number of encryption schemes for their messag- monitoring oflocation electric on the network. If a password vault is used, the password ing solutions. distribution systems.to unlock Ac- the vault should follow the guidelines for strong pass- Key management is the greatest obstacle to cording to IEEEwords. Standard In addition, if the password is lost then all the data in the successfully deploying an encryption solution. 1402-2000, Guidevault for will no longer be accessible. This is because the generation, distribution, and Electric Power Substation revocation of encryption and decryption keys Physical and Electronic are the most vulnerable elements of any encryp- Security, “the introduc- tion strategy. Key management can be auto- tion of computerTips and systems Takeaways mated, as in a Public Key Infrastructure (PKI), with online access to or can be a manual process guided by policies, • Consolidate file and communications encryption under one solution substation information is procedures, and best practices. VeriSign and to offer universal and interoperable protection of sensitive data “at significant in that substa- Thawte offer robust PKI solutions. At a mini- rest” and “in transit.” tion relay protection, mum, encrypted files and corresponding keys • Scrutinize the key management scheme of any candidate encryption control, and data collec- must not be stored on the same disc. Equally im- solution. tion systems may be ex- portant, users of encryption technology must be posed to the same vul- educated on the importance of key protection. 10 – Section 2 2

OPERATIONAL CONTROLS costly to an organization, crippling business Processes and procedures established to enhance operations and damaging reputation. The stakes the risk posture of an enterprise are called oper- are even higher for critical infrastructure entities, ational controls. These often prescribe methods such as electric cooperatives. Thus, data backup for using technical controls in a manner that and archival storage procedures are key elements satisfies best-practice guidelines. Moreover, the of an operational security control strategy. operation controls are typically driven by policy. In developing a backup strategy, many Policy mandates what will be done, whereas questions must be considered, such as: operational controls say how. The secure design principle of psychological acceptability is key in • What data should be backed up and how developing operational controls, as is supporting often? the control with education, training, and aware- • How long should the backup data be retained? ness. For example, an operational control that • What are the implications of legal require- directs encrypting stored files will fail if the ments, such as those imposed by the Internal process is overly complicated or, worse, Revenue Service (IRS) regulations and unknown to the user. Sarbanes-Oxley Act of 2002? Operational controls for corporate and indus- • What type of backup media should be used trial networks shape the plan for managing IT (tape, compact disc [CD], digital video disc assets and change control. For example, opera- [DVD], other)? tion controls may dictate labeling media that • How long should media be used before being contain sensitive information, shredding docu- replaced? ments after use, and the routine application of • Is off-site storage required, and if so, can the cryptography in transmitting and storing data. data be recovered quickly in the event this Physical security solutions that make use of data must be restored? surveillance equipment and security guards are • If off-site storage is required, where is the best potent operational controls that complement a location to keep the data and should an outside cyber-security plan. Operational controls sup- firm specializing in off-site storage be used? porting systematic and regular data backup • Is the data sensitive enough that encryption are pillars of disaster recovery. should be considered if the backups are stolen? Data backup • Is encrypting the data on off-site backup While effective security can prevent most tapes necessary? breaches, protecting a computer or network • How often should backups be tested to against every potential manmade or natural ensure that the backup and restoration process is functioning properly? SCADA systemsthreat provide is impossible. Loss of vital data can be real-time control and monitoring of electric Backup Strategy distribution systems. Ac- cording to IEEE Standard Backing up relational database files such as • Schedule relational databases to be shut 1402-2000, Guide for Oracle or Structured Query Language (SQL) to down before a backup occurs. Electric Power Substation a server creates a different set of issues. These • Perform an internal database backup to a Physical and Electronic files are usually always open, requiring special file before the standard backup occurs. An Security, “the introduc- attention in a comprehensive backup strategy. example of this system would be to sched- tion of computer systems Electric cooperatives have several options to ule a Microsoft Structured Query Language with online access to deal with database backups. (MSSQL) backup to a file location at 1:00 substation information is AM and then have the backup software significant in that• Purchase substa- special software that can backup backup this file at 2:00 AM. tion relay protection,these open database files. control, and data collec- tion systems may be ex- posed to the same vul- Cyber-Security Primer – 11 2

Electric cooperatives must ensure that all the mobility and miniaturization of IT makes physi - answers to these questions properly support the cal security an even greater concern today. IT disaster recovery plan and strategy. The scope Locking devices are available for physically of a data-backup strategy and the selection of securing computers and equipment such as technologies are of obvious importance. Less printers and monitors. Most of these devices obvious is the critical role of testing and exercis - fasten the equipment to a desk or other piece ing the data backup and recovery plan. Periodic of furniture using some combination of cables, testing and exercise can reveal unexpected gaps brackets, locking plates, or similar mechanisms. in a plan, such as recovering data stored on ob - These devices typically range in cost from $30 solete formats, and inaccessibility of the off-site to $100 and are relatively easy to install. Sample storage facility. security devices are listed in Table 2.1. Securing laptop and desktop computers and associated peripheral equipment is important. Tips and Takeaways Securing other devices that may contain critical data is also important. For example, field inven - • Assess the criticality and time sensitivity of all electronic data on the tory devices and mobile devices used for meter electric cooperative’s networks. reading or for programming SCADA equipment • Use a centralized system-wide data backup and archival solution that may contain information that would adversely does not rely on active user participation. affect electric cooperative customers if the data • Test the data backup and recovery plan periodically. fell into the wrong hands. Another physical access control solution that electric cooperatives might consider is a secure Resources: Implementing a Disaster Recovery Plan card system. With a secure card system, every employee is assigned a security card that is used • The disaster recovery guide: www.disaster-recovery-guide.com to enter the electric cooperatives’ buildings. Se - • Disaster recovery planning: www.drplanning.org/portal cure card systems usually come with software that can be used to display a picture on a re - mote system when the card is used to enter a Physical security building. The 24-hour system operators can run While hackers or disgruntled employees may the secure card software after hours to monitor target proprietary company data, another objec - who enters and leaves the building. tive is to protect the actual physical assets from Power outages naturally affect the availability “walking out” of a building or being damaged. of electronic data and services. Power backup Laptop and desktop computers are valuable as - systems are an integral part of a physical security sets. When equipment is not properly secured, solution and help ensure that vital information the equipment becomes an easy target for and services remain accessible to users in the thieves entering a building after hours. The cost event of an outage. A spectrum of backup power associated with a stolen device or computer is strategies exists, ranging from modest surge pro - not limited to the value of the physical asset. tectors to uninterruptable power supplies (UPSs) Loss of productivity and data can far exceed the of varied scales. Cooperatives should evaluate cost of the stolen equipment. The damage done the criticality of keeping the system up when by one such act could have a long-term impact power to the building is lost. If the systems are on the relationship between an electric coopera - mission critical to the cooperative then a combi - tive and members. nation of a UPS for short-term power needs with Locked doors, security guards, and video sur - a generator backup should be considered. veillance systems are the most common forms of Motion detectors, perimeter alarms, door physical security. These standard controls are alarms, and fire-suppression systems also en - extremely effective at limiting access to physical hance physical security. Motion detectors and assets and at monitoring a facility. The increased door alarms at substations can help reduce theft 12 – Section 2 2

TABLE 2.1: Devices for Physically Securing Computer Equipment (Prices subject to change).

Device Supplier Price Contact Comprehensive Case Screw PC Guardian $35.95 (800) 288-8126 / (415) 459-0190 Antitheft Package, Ultra www.pcguardian.com Anchor Pad Lockdown AnchorPad Security, Inc From $69.95 (800) 626-2467 / (714) 827-8888 Security Plate www.anchorpad.com CompuClamp TheftProtection.com $59.95 (772) 231 6677 www.compuclamp.com Desktop MicroSaver Computer Kensington $34.99 (800) 535-4242 Security Lock www.kensington.com Flexguard Heavy Duty Cable Philadelphia Security $34.95 800) 456-1789 Lock Kit Products, Inc. www.flexguard.com

of computer equipment stored at a substation. sions made regarding operational and technical Perimeter alarms at the main electric coopera - controls. Because electric cooperatives engage tive’s headquarters or other important buildings such a diverse array of systems that may be diffi - can help detect intruders before the intruder is cult to protect with a technical control strategy, able to enter the building and steal computer or effective managerial controls are of paramount other equipment. Alarm systems can be connect - importance. ed to the electric cooperative’s SCADA system so that the 24-hour system operators can monitor Security policies these systems after hours. In addition to alarm A cyber-security policy is a formal statement of systems, FM-200-based fire-suppression systems the rules by which people given access to an or - for server rooms and data centers should also be ganization’s network and information assets considered. FM-200-based systems extinguish must abide. Security policies provide written fires quickly through a combination of chemical guidelines on how employees are to use com - interaction and heat removal. During business puter assets. Effective policies can increase pro - hours, the alarms on monitoring systems can be ductivity and reduce liability if a security breach automatically silenced so the alarms are not dis - exposes confidential customer information or played but still logged. causes damage to others. Development of secu - Video surveillance cameras attached to com - rity policies is one of the first steps an electric puter systems can also be a theft deterrent. cooperative should take to protect computer as - Computer-based surveillance systems can be set sets. The security police will form the founda - up to only record when the camera detects mo - tion for all subsequent security efforts. Enforce - tion. In addition, these cameras can be monitored ment and education are essential supporting ele - from an external site. ments of an information security policy. A good policy may limit the liability of an electric coop - MANAGERIAL CONTROLS erative against the malicious or accidental acts of Managerial controls are programmatic or policy- employees, but courts have found organization level directives and activities that create a cul - policies to be nonbinding if the policy is incon - ture of security for a company or organization. sistently enforced. Defining an education, training, and awareness program for information security is one example Policy development. One of the first steps in of a managerial control. Security policies are formulating a security policy is to establish a managerial controls that greatly influence deci - policy-development team. The team should in - Cyber-Security Primer – 13 2

clude people who work in various functional should be given a copy of the policy and be re - areas of the company, along with someone from quired to sign a document stating that they have the IT area with technical knowledge of the net - read and understood it. A single point of contact work. The team may require an outside consul - should then be assigned to answer any ques - tant to assist in this process. There are many tions about the policy. resources available on the Internet to help the team get started. Policy enforcement. One of the most important aspects of a security policy is its enforcement. Policy structure and contents. The security While a company creates its security policies, it policy should have an introduction that moti - should pay special attention to precisely word - vates policy creation, describes what systems ing its enforcement and disciplinary procedures. and users are under the policy, and presents the It is vital that enforcement procedures are exe - consequences for violating the policy. The body cuted fairly and consistently. of the policy outlines mandated, permissible and/or impermissible actions on the subject Policy review. A policy is a “living document” information system. that should be reviewed and updated at least An information-security policy must address annually. As new threats are identified and com - a variety of topics and concerns, from e-mail puter systems become more widely used in an use to cyberstalking to firewall management. electric cooperative, security risks will continue Other components a security policy should to emerge and evolve. cover include: Electric cooperatives should consider both the corporate network and the secure SCADA net - • Acceptable use work when creating a security policy. • Authentication and password protection • Remote user access INCIDENT MANAGEMENT • Network security Despite an organization’s best efforts to prevent • Physical security attacks, at some point an incident will occur. The actions taken during and immediately after Depending on the organization’s desired such an event are critical. Phases of incident em phasis on a particular area, any of the above management include detection, containment, components may warrant a separate and dis - eradication, and system recovery and restoration. tinct policy. During the event every effort should be made to document what occurred and when. All logs Policy approval and dissemination. Once the from affected systems should be preserved as draft policy is complete, it should be reviewed well as any data that may have been affected and approved by management. All employees during the incident. Logs are stored at the oper - ating system level and program level, as well as separate logs that may be present in external Resources: Security Policy and Guideline Development hardware such as routers or switches. These processes are critical for incident detection and • The System Administration, Network, and Security (SANS) Institute containment. security policy project: www.sans.org/resources/policies Incident and disaster recovery strategies, shaped • Security guidance by and for the federal government: by business continuity plans and requirements, http://csrc.nist.gov allow an enterprise to resume operations as • Security policy writing styles and guidelines from InfoSysSec: soon as possible after an incident has occurred. www.infosyssec.org/infosyssec/security/secpol1.htm Of chief importance in disaster recovery is the • Windows Network Security Library’s sample policy: dependability of data and system software back - www.windowsecurity.com/whitepapers/policy_and_standards/ ups. Provisioning secure links from an off-site Internet_Security_Policy backup facility to corporate and SCADA net - 14 – Section 2 2

works must be considered as an integral and uses hashing to validate data completeness and potentially expensive component of a disaster integrity. recovery and/or business continuity strategy. When an incident is reported, affected non - Manual procedures for operations should be de - critical systems should be shut down or removed veloped in anticipation of extended downtimes from service until evidence is collected and the for IT equipment. Moreover, disaster recovery event is contained. Critical systems, by their na - plans should be tested periodically to assess ture, cannot be shut down, so efforts to collect their viability. logging and other information must be done as quickly as possible. Evidence preservation On many systems the log data may be kept in The collection of evidence is critical after any a “rolling” fashion so that only the most recent attack or intrusion. Evidence preservation is es - events are preserved. Any delay in collecting sential for legal recourse and protection, and for evidence from these sources may ultimately lead understanding the full extent and nature of an to full or partial evidence destruction as events incident. The goal is to preserve data as quickly are overwritten. In some cases, overwrites may and completely as possible, while maintaining occur in minutes, requiring a very rapid re - data integrity. As such, it is recommended that sponse to preserve evidence. digital forensics specialists be used to collect as Because of the technically challenging nature much data as early as possible. You can always of data collection on some systems, electric co - analyze or cull the data later, but you may never operatives should consider retaining or consult - get a second chance to collect it. ing with a third-party firm who has knowledge While speed is supremely important, collected and expertise in collecting and preserving data. data should be preserved in a manner that will Often, special tools and techniques are required eliminate the possibility of tampering. This to extract evidence, and firms that specialize in preservation means, at a minimum, transferring this area are equipped with the proper methods data to nonmutable sources such as CDs. A and devices used to collect, preserve, and analyze more forensically sound option is to collect the incident data. Third parties are also desirable for evidence with a bit-by-bit copying method that evidence collection due to potential conflicts of

Types of Services Checklist: What to Have Before You Call

• Electronic discovery. Firms that offer this service generally special - 1. Computer type—Macintosh, personal ize in litigation matters and focus on finding and producing readily computer (PC), server, laptop. available documents on computers. The majority of their clients are 2. and version typically attorneys or large needing to organize a large (if known)—MS Windows, LINUX. document production project. They may offer forensic services as 3. Backup availability—tape drives, DVDs, a sideline. and so on. • Data recovery. Some firms specialize in recovering data that has 4. Architecture—stand-alone system, RAID, been deleted or misplaced either due to hardware or software server configuration. issues. Firms in this specialty are typically familiar with computer 5. List of critical data that needs to hardware, and often cannot bring required equipment to the field. be recovered. • Computer forensics. Some firms specialize in uncovering data that 6. Clear, concise description of the problem may not be readily available. They can combine the software data and steps already taken to resolve it. recovery functions and the electronic discovery production services 7. List of personnel that have knowledge with a higher level of computer knowledge and specialized soft - of affected systems and can render ware tools and techniques to better select data stores for needed assistance if required (such as password information. information). Cyber-Security Primer – 15 2

interest that may arise in the investigation of an torneys know the options for forensics firms in incident. Whenever hiring a forensics firm, be any given area, and can provide good counsel sure that they follow the licensing requirements on the most suitable experts. for the state (typically a private investigator li - Many firms around the country specialize in cense) and be certain to ask about collection, evidence collection and preservation. When in vestigation, and storage procedures. Most at - looking for a firm, inquire about collection capa - bilities. Experienced firms will exhibit a record of collecting a variety of data sources both from Questions to Ask a Forensics Firm a lab environment and at customer locations. For example, Digital Forensics Professionals (DFP) • How soon can you take this case? Can you collect the information provides consulting that emphasizes early evalu - now? How long would you take to arrive at site and begin? ation to create an action plan for event handling • What are the qualifications of members of the firm? How much and rapid response when events occur. DFP can experience do you have in the field? Are the members certified on also provide response teams for incident han - the hardware and software being used? Am I going to get the most dling. Other companies, such as Paraben Corpo - experienced members of the firm? ration, provide software, training, and response • Does the firm have all applicable licensing for the state they are teams for incident response. Finally, Access working in? Data’s Forensics ToolKit is one of the primary • Is the firm insured against error and omission? forensics investigation software suites; EnCase is • What rates will be charged? Can the charges be estimated for another popular forensics investigation software the project? application.

Protecting Electric Cooperatives’ Business Systems – 17

Protecting Electric 3 Cooperatives’ Business Systems

In This Section: Safeguarding Workstations, Laptops, and Desktops Defending the Network Protecting Information Services

Electric cooperatives maintain corporate net - While electric cooperatives may initially focus works to house information systems that man - on defending electric control networks, securing age , customer service, and other their corporate networks is equally important. business needs. Corporate networks contain Strategies and solutions for protecting corporate sensitive data such as account numbers, intellec - systems exist at the equipment level, at the net - tual property, financial statements, and personal work level, and at the level of the information identifying information. As such these are com - on the systems themselves. pelling targets for computer criminals.

Safeguarding Most employees connect to their network ac tions are not part of the expected behavior of Workstations, through workstations and desktop and laptop the host software. Logic bombs, for example, are Laptops, and computers. Their protection is a chief goal in Trojan horses that are triggered to execute a ma - Desktops any cyber-security strategy. A spectrum of licious action on some condition detectable by threats confronts these kinds of systems—from the software. rootkits to spam. Trojan Malware can send data out from an in - ternal corporate network back out onto the In - COMBATING MALWARE AND VIRUSES ternet. A list of ports used by Trojans is available Malware is software designed to infiltrate and from Simovits Consulting. Unexplained traffic on damage a computer system without the owner’s one of these ports could indicate that a com - knowledge. The term malware generally describes puter inside the network is infected by a Trojan. various types of malicious software, including Personal firewalls can be used to block the net - Trojan horses and rootkits. Malware typically ex - work activity of known malware. ploits vulnerabilities in software and users to Rootkits are software tool collections in - propagate across computers on a network. tended to conceal processes, files, or system A Trojan horse is renegade code hidden in data from the operating system. They are com - otherwise legitimate software. The hidden code monly used to help intruders acquire access to can act maliciously or not. In either case, its systems while avoiding detection. Rootkits exist 18 – Section 3 3

Patch Management and some 200 to 400 new viruses are developed daily. Viruses spread to other computers on a • Prioritize patching—security-critical updates need to be installed network and to systems of users whose names as quickly as possible. are stored in address books or databases on the • Windows XP and Vista can automatically retrieve security patches, host. Many are very destructive and can erase bug fixes, and other software updates. files, corrupt hard drives, cause systems to crash, • Use a mailing list for critical updates to ensure that necessary or even destroy hardware and software compo- personnel are alerted. nents. Accordingly, virus protection should be • Check with your IT department or before a requirement for all computers on an electric updating software. cooperatives’ network. Connecting a PC to the Internet without using some type of virus Note: Electric cooperatives might consider investing in a patch manage- protection is like leaving your front door un- ment software package. These packages allow system administrators to locked when you go on vacation—if you’re manage patches on both servers and client workstations and can detect lucky, you’ll come home to find that all is well, what software patches and versions are currently installed. but this is a huge and unnecessary risk. An antivirus solution should be established that includes automatic updates for the entire network. New viruses are developed daily and for most operating systems, including recent individuals who develop viruses continue to find generations of MS Windows, Linux, and Solaris. new ways to circumvent antivirus software. SCADA systems provide They routinely alter parts of the operating sys- Some viruses are even designed to disable real-time control and tem or install themselves as drivers or kernel antivirus software. monitoring of electric modules to remain undetected. Most antivirus software packages have the distribution systems. Ac- New bugs and security holes are discovered ability to check installed updates and download cording to IEEE Standard in software on a daily basis. Accordingly, software new updates automatically. Network servers also 1402-2000, Guide for updates are a major part of keeping a system safe can be programmed to automatically check for Electric Power Substation from intruders. Patch management solutions, some updates and download them to the networked Physical and Electronic built into modern operating systems, others sold computers automatically. Using an antivirus solu- Security, “the introduc- as à la carte products, track software versions tion that automatically updates virus signatures is tion of computer systems and install updates for networked computers. an effective way to relieve some of the adminis- with online access to trative burden of keeping pace with the computer substation information is Viruses are self-replicating computer programs virus “arms race.” Ensuring that users are not significant in that substa- that propagate across systems and exhibit mali- downloading unauthorized programs, are regu- tion relay protection, cious or benign behavior. Most commonly, larly updating malware/virus signatures, and are control, and data collec- viruses are received as attachments to e-mail scanning for such programs is the best way to tion systems may be ex- messages and execute when the user attempts keep a computer and its data safe. posed to the same vul- to open the attachment. According to McAfee Electric cooperatives should take special care Security, over 100,000 distinct viruses exist today to ensure that users cannot disable virus scan and spyware protection. Another important as- pect to note is virus/spyware software runs all Tips and Takeaways the time on each user’s computer and takes up system memory and resources. If the electric • Engage a patch management system that centralizes cooperative has older computers, installing the software update process. virus/spyware software can have a significant • Use an antivirus solution that automatically updates impact on computer usability. In addition, when the latest signatures. a new version of a cooperative’s virus/spyware • Educate users to avoid installing unnecessary software. software is installed, additional memory might have to be added to users’ computers. Protecting Electric Cooperatives’ Business Systems – 19 3

Resources: Virus Protection or any other form of personal identification is ille- gally acquired. While the effects of identity theft • McAfee Security: http://vil.nai.com/vil/default.aspx are not limited to the financial domain, monetary • Symantec (Norton Antivirus): http://securityresponse.symantec.com gain is the most common motive. Unfortunately, • Sophos: www.sophos.com victims are often not aware of the theft of their • F-Secure: http://f-secure.com/virus-info identity until well after the damage is done. • Vmyths (Reports which virus alerts are hoaxes): www.vmyths.com Even though poor credit ratings can be mended • Computer Associates: www.ca.com/us and fraudulent charges waived, it takes valuable time and effort to clean up the mess left behind. Between 2003 and 2006, surveys indicate that approximately $56.6 billion was lost due to iden- SNIFFING OUT CYBER FRAUD tity theft and fraud. During this time period, the The advent of online banking, shopping, and average dollar amount of fraud per person rose consumer profiling has created a booming from $5,249 to $6,383. A 2003 survey conducted industry in identity theft. Personal identifying by Identity Theft Resource Center found that only information stored on systems or networks war- 15% of victims uncover identity theft through rants special consideration in the development proactive measures, and it took approximately of a cyber-security plan. Cyber criminals have 40 hours of time per victim to repair the dam- developed special techniques such as phishing age. In addition, 73% of victims reported that to capture the identities of their victims. Employ- their credit card information was stolen. ees of electric cooperatives may fall victim to Proper storage and disposal of customer and these techniques, exposing the electric coop- employee information is very important. A key erative to legal liability and risk. factor in securing sensitive information is imple- menting proper procedures for the personnel Identity theft who will be managing such information, espe- Identity theft occurs when information such as a cially when it is stored on desktop and laptop credit card number, a social security number (SSN), computers. Ensuring that employees are diligent in protecting information starts at the beginning of employment. For those with access to sensi- Defending Against Cyber Fraud tive information, running background checks and checking references along with requiring Employee education is one of the main tools to defend against cyber the employee to sign confidentiality and security fraud. The following are some items that will help employees prevent standards is a good idea. cyber crime. Programs such as SDelete.exe by Microsoft are available to ensure data disks are cleaned of cus- • Employees should be aware of the lock symbol that indicates a site tomer information. Third-party vendors are also a is secure. viable solution for handling the storage and dis- • Sensitive data should only be entered in secure sites. posal of sensitive customer information. These • E-mails that claim “you have won!” something are usually fake and vendors can offer solutions for records manage- should be deleted. ment, data protection and backup, disaster recov- • Sensitive personal information should never be placed on a public ery, and secure shredding and disposal. Vendors Web page, in an IM chat window, or even in an e-mail. such as Iron Mountain ensure that company infor- • It is best to buy from known venders on the Web, not from individuals. mation will be kept confidential for as long as • A company found on a search engine could be outside the United necessary and that disposal is performed properly. States and not subject to U.S. rules that protect customers. Recently the Federal Trade Commission (FTC) established a new set of identity-theft prevention The most important rule of detecting cyber fraud is “If something is regulations titled the Red Flag Rule. As a result, too good to be true, it probably is.” cooperatives with one or more covered accounts 20 – Section 3 3

Red Flag Rule Links Link manipulation involves designing a link in an e-mail that appears to lead to a legitimate Web • Video summary of the Red Flag Rule by Tracey Steiner: (This link site. Deceptive links such as http://abcbank.com. requires a www.cooperative.com log-in) www.cooperative.com/ example.com are sent to the recipient in an at - general/resources/redflags/redflags.htm tempt to fool her into thinking she is visiting a • FTC identity-theft prevention site: www.ftc.gov/bcp/edu/microsites/ local bank. Another type of link comes in the idtheft/business/safeguards.html form of http://www.google.com@example. • FTC Red Flag alert: www.ftc.gov/bcp/edu/pubs/business/alerts/ Website.com , which makes the user believe he is alt050.shtm visiting a Web page hosted by www.google.com. These types of links were originally designed as a way to include username and possibly password information into the link to increase browsing will have to establish an identity-theft prevention speed. Internet Explorer disables the ability to program. The program should consist of written browse through Web sites of this type, while policies and procedures to detect, prevent, and browsers such as Mozilla provide the user the mitigate identity theft. The initial program must option of continuing to the Web site. be approved by the cooperative’s board and a A third type of link manipulation includes al - senior manager must oversee the program. The tering legitimate-looking Internationalized Do - rule was effective January 1, 2008, but covered main Names (IDNs) that lead to alternate, entities have until November 1, 2008, to comply. potentially malicious, Web sites. A similar risk to For detailed information, see the Red Flag Rule IDN manipulation is to use open URL directors Links sidebar. on trusted Web sites to disguise malicious URLs that contain a trusted domain. Phishing Web-site spoofing uses a phishing kit to create Phishing is a social-engineering technique where - a convincing replica of a legitimate Web site. by an individual attempts to acquire sensitive in - One type of Web spoofing relies on JavaScript formation such as passwords, credit card num - commands to alter the address bar, making it ap - bers, and SSNs through electronic media such as pear legitimate by masking the real address bar e-mail or Web sites. Phishers can masquerade as with another that contains a valid Web address. digital payment portals (for example, PayPal) This trick was actually used against PayPal users and financial institutions to con victims into in 2006 to gather their account information. handing over their sensitive information. There Antiphishing technology currently uses online are two primary types of phishing: link manipu - databases that identify suspect Web sites. Most lation and Web-site spoofing. such solutions offer the ability to check the on - line database each time a site is visited or to cache a local copy that is updated periodically. Financial Losses Due to Phishing Antiphishing technology can also scan Web pages for fraudulent characteristics, as does Mi - • The FTC reported that losses due to identity theft in 2004 totaled crosoft’s Internet Explorer 7 (IE7). $547 million. Of that, $265 million in losses were from Internet- For those who do not use IE7, the MSN tool - related cases. bar is a viable alternative. Microsoft incorporated • Gartner Research estimates that from May 2004 through 2005, auto - its antiphishing technology as an add-on for the mated teller machine (ATM)/debit card fraud rose to approximately MSN toolbar, available for download at www. $2.75 billion in the United States with an average of $900 lost microsoft.com . Once downloaded and installed, per account. the phishing filter automatically scans Web sites • PC World estimated that in 2006, consumers lost approximately while the user surfs the Internet. $2.8 billion to phishing scams with an estimated average of $1,244 Vidoop Secure and SiteKey are examples of lost per account. antiphishing technology that use to protect their customers. For example, Bank of Protecting Electric Cooperatives’ Business Systems – 21 3

America (BoA) has employed SiteKey to help its with a remote machine. If this succeeds, the customers defend themselves against identity user is presented with a Sitekey—a personalized theft. SiteKey works by trying to associate a user image and title selected by the user—allowing him to validate the authenticity of the Web site (only the legitimate Web site knows what Sitekey Identifying and Avoiding Phishing to present). If the user is logging in from a dif- ferent machine, Sitekey gives him a predeter- How to spot a phishing attack: mined security challenge and presents the user’s • Log-in screens that appear in a pop-up window Sitekey only after verifying the user response. • Impersonal e-mails with troubling information about a user Once the Web site has presented the Sitekey to account (especially one you do not have), soliciting you a user, it requests his passcode to complete the to follow an embedded hyperlink log-in process. • Requests for personal information such as a social security number, (Note: One way to help determine if a site is credit card number, username, password, and so on a phishing site is to use a Whois Lookup such as the one found on DomainTools to see how long (Note that fraudulent sites may very closely resemble legitimate the domain has been in service. If the domain Web sites using graphics and links of the valid Web site.) has been in service for a short time, it is most likely a phishing site.) Avoiding phishing attacks: • Type the main address of the site mentioned in the Web browser COPING WITH ANNOYANCES—SPYWARE, instead of using a link provided in an e-mail. ADWARE, AND SPAM • Check the main site for announcements of phishing attacks. Spyware is software installed, without the user’s • Contact the organization by phone to verify authenticity of knowledge, and designed to intercept informa- the message. tion or take control of the user’s computer. Spy- ware can be used to monitor user behavior and to collect personal information. It can also inter- fere with the use of a computer by installing Tips and Takeaways additional software, redirecting Web-browser activity, logging keystrokes, or diverting • Use disk-wiping utilities to remove potentially sensitive data from advertising revenue to a third party. disposed hard drives. • Educate users about the hazards of phishing and online identity theft. Adware is a close cousin of spyware, and typi- • Consider a solution such as Vidoop Secure or SiteKey if your Web cally contained within freeware or site collects or uses personal identification information. software packages. Adware automatically down- loads and displays advertisements on a computer SCADA systems provide after the software is installed. In some cases, users real-time controlResources: and Combating Malware and Viruses may be given the option to pay for a registered monitoring of electric or licensed variant of a shareware or freeware distribution systems.• Simovits Ac- Consulting: www.simovits.com/nyheter9902.html package that is not burdened with adware. cording to IEEE• StandardRootkit information: http://antivirus.about.com/od/rootkits/ 1402-2000, Guide forRootkit_Information_and_Detection.htm Both adware and spyware like to make use of Electric Power Substation• Vidoop Secure: www.vidoop.com pop-up windows. Pop-ups are used by market- Physical and Electronic• Sitekey: www.bankofamerica.com/privacy/sitekey ing departments to sell products or services and Security, “the introduc-• Phishing information: www.windowsecurity.com/whitepapers/ are designed to present the user with something tion of computer systemspolicy_and_standards/Internet_Security_Policy they otherwise might not notice on the Web site. with online access• Phishing to IQ test: www.sonicwall.com/phishing Though these types of pop-ups are annoying, substation information• F-Secure is phishing examples: www.youtube.com/watch?v=6Nviim they generally do not pose a security threat. significant in that substa-O64qA, www.youtube.com/watch?v=Sm_Gz40Wca4&feature=related Many different types of pop-up blocking soft- tion relay protection, ware are available to individual users and IT control, and data collec- tion systems may be ex- posed to the same vul- 22 – Section 3 3

groups for free or for purchase. The two most consumer received a large number of unwanted popular Web browsers—IE and Firefox—contain e-mails a week and 20% of those e-mails were built-in pop-up blocking features, while Google related to pornography. America On-Line (AoL), and Yahoo provide pop-up blocking toolbars. the nation’s largest Internet service provider Several vendors offer stand-alone software (for (ISP), estimates that it blocks almost 2.4 billion example, STOPzilla, Super Pop-Up Blocker, Nor - e-mails a day, or about 80% of its inbound mail. ton, and EarthLink Pop-Up Blocker) capable of Electric cooperatives have a number of op - blocking most pop-ups that the typical user will tions available for fighting spam: encounter. The most effective way to mitigate the threats • Deploy spam filters at the mail server to keep posed by spyware and adware is to avoid it from reaching the end user downloading and installing programs from the • Deploy spam filters on desktop or laptop Internet and to enforce a policy that mandates computers controlling the installation of software through • Use a third-party service where mail is routed the IT department. The more insidious forms of through a filter before it reaches the electric spyware and adware infest a system and alter cooperative’s mail server system files to make their removal difficult. • Some combination of the above Should a computer become infested, there are a number of applications available that seek out Electric cooperatives that use an ISP to handle and eradicate spyware and adware, including: their mail services should check to see what type of spam-filtering service the provider offers. • Symantec’s Norton Internet Security Suite When electric cooperatives run their own mail • McAfee Internet Security servers using MS Exchange or another e-mail • Spybot Search &Destroy platform, a filter may be installed on the mail • HijackThis server to block incoming spam. Alternatively, a • Lavasoft’s Adaware third-party service that charges a monthly fee • Webroot Spy Sweeper may be used to filter mail for spam. If centralized spam filtering isn’t available, Spam —unsolicited commercial e-mail mes - then filtering must be done at each workstation. sages—constitutes one of the biggest problems There are several free and commercially avail - facing corporate e-mail systems today. In 2006 able antispam products available, such as Spam - approximately 40% of all e-mail received was ato, SpamPal, and SpamFighter for personal considered spam, with approximately 12.4 bil - computers and servers. Commercially available lion spam e-mails sent. Also in 2006, the average software such as GFi MailEssentials, XWall, and McAfee protect most types of e-mail servers such Tips and Takeaways as Novell GroupWise, MS Exchange, and Lotus Notes. Though antispam software will not catch • Use antispyware software to regularly scan and clean all desktop every piece of spam e-mail that is sent, it will be systems. For instance, Spybot Search & Destroy is an excellent able to filter the majority of spam e-mails. freeware application to detect and remove spyware. GFi MailEssentials works for MS Exchange, • Engage centralized spam filtering software to throttle unsolicited Simple Mail Transfer Protocol (SMTP), and Lotus e-mails at the edge of the network. Notes mail servers, and employs a Bayesian filter • Norton Internet Security and McAfee Internet Security are subscrip - to test incoming e-mails. In addition to blocking tion-based software that offer both spyware protection and spam spam e-mails, GFi MailEssentials adds e-mail filtering. management tools by providing disclaimers, In - • Top-rated freeware applications to protect against spyware are ternet mail reporting, list servers, server-based Spybot Search & Destroy and Lavasoft Adaware. auto replies, and —Version 3 • A top-rated freeware application for spam control is SpamKiller. (POP3) downloading. Protecting Electric Cooperatives’ Business Systems – 23 3

XWall works with MS Exchange, lMail, Lotus employing image detection, integrity analysis, Notes, and Novell Groupwise. XWall utilizes heuristic detection, and Bayesian and content fil - Bayesian, heuristic spam, phishing, image spam, tering for spam detection—as well as utilizing and other filters to protect users. Once a spam white and black lists. It also searches the type of message is detected, it is moved to a spam files attached, the file size, and the message con - folder for viewing. XWall also provides an auto - tent to ensure that unwanted e-mail messages matic white list to prevent false positive tagging, are blocked from the user. a manual exclusion option from spam checking As with an automobile, it is both easier and by e-mail and Internet protocol (IP) address, as less costly to maintain an operational system well as allowing administrators to mark, delete, than it is to repair a damaged one. Ensuring that or forward spam messages. users are not downloading unauthorized pro - McAfee SpamKiller for mail servers is designed grams, are regularly scanning for malware, and to block spam and phishing scam e-mails. It are effectively limiting spam is the best way to works by searching domain name reputation and keep a computer up and running.

Defending Network defense requires the strategic applica - The starting point for defense in depth is often the Network tion of security technologies guided by the fun - the creation of a network architecture with subnets damental principles of information assurance. that materialize zones of distinct functional and Network design also has a role to play in secur - security requirements. Assets with common require - ing assets on a network. Special security con - ments are colocated in a zone, which is protected cerns exist for wireless networks. under a collection of security controls. The more critical or sensitive the asset or resource, the more ARCHITECTING A NETWORK FOR SECURITY stringent and extensive the security control set. A sound network architecture sets the stage for a rational and efficient implementation of securi - The network perimeter ty controls and technologies. Most organizations A perimeter router is an enterprise intranet’s create an intranet to support locally networked gateway to the Internet. All inbound and out - services. An intranet is like a private version of bound traffic (including e-mail) flows through it. the Internet, relying on the same technical proto - The vendor or manufacturer will normally pro - cols to establish connectivity between local users vide default security settings and passwords for and resources. Extranets , on the other hand, ex - accessing the router. These default settings and tend beyond the physical confines of their local passwords should immediately be reconfigured networks (across the public telephone network, upon installation. For example, more secure for instance) to allow remote access and telecom - passwords should be established, using the muting. Intranets and extranets are commonly password guidelines outlined in this handbook. used in concert by organizations to support local In addition, whenever passwords are stored on and remote corporate information services. the network, they should be encrypted. Most security experts agree that the best way A Network Address Translation (NAT) security to protect a network (intranet and extranet alike) feature is available on most routers. It is designed is by using a layered security approach—a tech - to protect the identity of the internal addresses nique known as “defense in depth.” This tech - of the network users and devices from the out - nique buffers the most sensitive assets from the side world. This limits the potential for an adver - outside world with a series of protective coun - sary to profile a network and learn its architec - termeasures. Layering network-level authentica - ture, a key process in the reconnaissance phase tion and access control with application-level of a network attack. NAT can be implemented controls and auditing services means that attack - either on a router or on a firewall. While NAT is ers must surmount a series of obstacles to a security capability for protecting the network achieve their objectives. from the Internet, it is probably the least robust 24 – Section 3 3

capability available and should never be consid- being used as an attack vector to the internal ered as an adequate substitute for a firewall. If network. no firewall exists at the network perimeter, one The classic example when discussing a DMZ should be added. is that of a Web server and an internal network. The Web server needs to service requests from Subnetting for security both the external network, often the Internet, Network administrators and architects use sub- and the internal network. The Web server should nets to partition a network into hierarchical do- never need to access services in the internal net- mains that represent distinct organizational units work. Firewalls can then be placed between the or subunits. Subnets simplify routing network DMZ and the external network, and between the traffic and can improve the overall performance DMZ and the internal network that enforces of a network. They can also have a positive im- these security rules. pact on the security of an information network. Since a DMZ is intended to be placed be- Subnets simplify routing and increase network tween internal and external networks, services performance by isolating network traffic. From placed in a DMZ should reflect the need to be the standpoint of security, isolation is a basic accessed both internally and externally. For ex- tactic for protecting data and assets. Network ar- ample, public Web servers have an obvious chitects can use subnets to create buffers be- need. Public e-mail systems are also frequently tween sensitive resources and potential threats. used to forward messages to and from the exter- It also gives them an opportunity to place re- nal network. Public domain name system servers sources that share common security requirements need to carry information to and from the exter- SCADA systems provide in a zone that is protected under a common and nal network. In any case, an organization should real-time control and appropriate set of security controls. consider placing servers on the internal network monitoring of electric Subnetting can be a valuable tool for electric to carry information not needed by external users. distribution systems. Ac- cooperatives to improve security. One common For instance, an internal mail server might carry all cording to IEEE Standard example is to only allow computers from spe- e-mails that pass strictly between internal users, 1402-2000, Guide for cific subnets to access information in the SCADA while forwarding e-mails destined for external Electric Power Substation system demilitarized zone (DMZ). As a result, users to the external mail server in the DMZ. Physical and Electronic only specific computers will have any access to Security, “the introduc- the EMS/SCADA systems. Device hardening tion of computer systems A process called hardening is used to secure with online access to Demilitarized zones network devices by modifying their security substation information is A DMZ is a network segment that sits between configurations to better respect the “principle of significant in that substa- the organization’s internal network and the ex- least privilege.” One simple way to harden a de- tion relay protection, ternal network. The idea is to allow for a seg- vice is to turn off features that are not required. control, and data collec- ment to be accessed from both the external and This may include turning off support for network tion systems may be ex- internal networks, while limiting DMZ access to configurations that are no longer needed on posed to the same vul- the internal network. In this way, servers in the routers, closing unused ports on firewalls, and DMZ can provide services to both internal and stopping extraneous services on the network. external sources while preventing the DMZ from The basic goals of hardening are to use those features that enhance network security such as filtering and auditing, and to eliminate as many Resources: Security Policy and Guideline Development unneeded features as possible that may otherwise allow hackers and unauthorized users to gain • Basics of a DMZ: http://en.wikipedia.org/wiki/Demilitarized_ access to the network. An external vulnerability zone_%28computing%29 scan may be useful in determining the current • How to install a DMZ: www.axigen.com/articles/how-to-install-a- set of features enabled and services visible from demilitarized-zone-for-your-servers_24.html a network to the outside world. This is a good starting point for the device-hardening process. Protecting Electric Cooperatives’ Business Systems – 25 3

Resources: Hardening Systems cooperative network. All Internet traffic (for ex - ample, e-mail and Web traffic) pass through the • Linux servers: firewall appliance as it serves as a filter designed to block unauthorized access to the corporate I Bastille Linux: www.bastille-unix.org network (see Figure 3.1). I Security-Enhanced Linux: www.nsa.gov/selinux • MS Windows: Software firewalls are installed on servers to offer similar protection. Normally, software fire - I Windows 2000: www.microsoft.com/technet/security/ prodtech/Windows2000/win2khg/default.mspx walls cost less to install than firewall appliances. But software firewalls can be difficult to install I Windows XP: http://tibit.com/technote/winxp.html and properly administer. They are most widely I Windows 2003: www.microsoft.com/technet/security/ prodtech/windowsserver2003/w2003hg/sgch00.mspx used with laptops and home computers. • National Institute of Standards and Technology (NIST) baseline For most electric cooperatives, a firewall ap - security guides: pliance may be the best option. A list of firewall devices from several vendors is shown in Table I http://csrc.nist.gov/itsec 3.1. To help organizations select the best firewall for their specific application, many firewall vendor sites on the Internet pose questions based on NETWORK SECURITY TECHNOLOGIES specific needs (such as number of servers, num - The cyber-security industry is dominated by net - ber of users, virtual private network—VPN— work security technologies. Knowing which ones requirements, and budget) and then provide to apply and how to apply them can be confusing targeted solutions for best meeting those needs. and challenging. Firewalls, intrusion detection and Larger electric cooperatives may have a dedicat - prevention systems, and other solutions all have ed IT person or staff to provide assistance in a role to play in implementing a network secu - selecting the best corporate security strategy. In rity plan. Understanding their capabilities and addition, many IT consultants and vendors are limitations is vital for successful implementation. available to assist electric cooperatives in choos - ing a firewall. Some vendors will even offer to Firewalls install and maintain the firewall as a service for A firewall protects a network by monitoring and a monthly fee. constraining the traffic that flows into it. It de - One of the side benefits of a firewall is the fines exactly what, and who, can get in or out ability to provide VPN service. A VPN creates a of a network. Every electric cooperative should secure (encrypted) communication channel be - have a firewall in place between its network and tween a network and a remote system (typically the Internet. one across the Internet). For example, it can al - Firewall hardware devices (firewall appliances) low employees to access the corporate network physically connect the Internet and the electric from their home or when traveling. A VPN is also useful for making data connections between an electric cooperative’s main office and its dis - trict offices. Data traveling through the VPN con - nection is encrypted to maintain confidentiality and integrity over the Internet. VPNs promise to become even more popular in the future and should be a primary consideration for electric cooperatives when developing their network security strategies. Although conceptually simple, modern fire - walls are challenging to configure. One of the most common security vulnerabilities for FIGURE 3.1: Typical Firewall Hardware Device—Barracuda Firewall. an organization is a misconfigured firewall. 26 – Section 3 3

TABLE 3.1: Firewall Devices.

Number Manufacturer/Model VPN of users Speed Interfaces Price Web site 3Com OfficeConnect Yes 253 10 Mbps 4 $339.99 www.3com.com VPN firewall 3Com OfficeConnect Yes 253 54 Mbps Wireless 4 LAN $93.99 www.3com.com ADSL Wireless 54 (64 wireless) Mbps 11g firewall router Netscreen 5GT Plus Yes Unlimited 75 Mbps 4 $750 www.juniper.net Netscreen 25 Yes Unlimited 100 Mbps 4 $2,695 www.juniper.net SonicWALL Pro 2040 Yes Unlimited 100 Mbps 4 $1,995 www.sonicwall.com SonicWALL Pro 1260 Yes Unlimited 100 Mbps 27 $995 www.sonicwall.com Cisco ASA 5505 Yes 25,000 100 Mbps 6 From $419.99 www.cisco.com Cisco ASA 5510 Yes 280,000 1 Gbps 4 $5,519.99 www.cisco.com

Single Versus Dual Firewalls

When creating a DMZ, one choice to be made is whether to use a single or dual firewall configuration.

• A single firewall configuration consists of a firewall with at least three network interfaces. These interfaces Internet network can be used to connect the Internet, the DMZ network, and the internal network. The advantages of this setup are that it is easier to build and maintain, and less expensive. The disadvantage is that it becomes a single point of failure in the network. • A dual firewall configuration consists of two firewalls in Router to external network which the first firewall separates the Internet from the A single firewall configuration (from Wikipedia) cooperative network, and a second firewall separates the DMZ portion of the cooperative’s network from the internal network. In this scenario, the outer firewall must allow all traffic that would be allowed to and from both the internal network and the DMZ. The internal network will then only allow the traffic that would be Internet network allowed to and from the internal network. This has the advantage of making attackers penetrate two firewalls instead of one. The disadvantage is that it is more costly to implement. When using a dual firewall, it is often recommended to use firewalls from different ven - dors to diversify the network defenses. Router to external network A dual firewall configuration (from Wikipedia) Protecting Electric Cooperatives’ Business Systems – 27 3

TABLE 3.2: Common Firewall Traffic. ronment. Graphical tools to assist in designing and implementing firewall rule sets are highly Corporate 1. Web traffic to the Web server group in DMZ desirable. In addition to making firewall rules firewall 2. E-mail traffic to the e-mail server group in DMZ easier to implement, they can offer suggestions for default rules that act as a checklist for certain 3. Secure file transfer protocol (FTP) traffic to FTP server in DMZ common rules. For instance, a commonly ap- 4. VPN traffic to a specific IP group plied rule mandates that packets lacking an in- EMS 1. VPN traffic to a specific IP group ternal source address, yet originating from within firewall the internal network, are invalid and therefore 2. SQL traffic into a DMZ if the SCADA historian exists in the DMZ discarded. One option when managing firewalls is to Firewall rules are written in a text code that re- engage a third-party monitoring service. In this quires knowledge of the syntax used for the rules, instance, a company specializing in firewalls networking protocols, and the local network envi- would need access to the firewall appliance of the organization, as well as some knowledge of Common Port List the internal network. The benefits typically in- clude 24/7 coverage and firewall appliance ex- 20 FTP The port the FTP server opens to send information pertise. In any case, a firewall policy should back to the FTP client clearly indicate such issues as who is responsible for maintenance of relevant hardware and who 21 FTP The actual port that all FTP servers bind to can authorize changes to the firewall rule sets. by default Firewalls are an electric cooperative’s first and 22 SSH Secure Shell best line of defense against external attackers. 23 Telnet Remote log-ins using Telnet Money, time, and resources spent on purchasing 25 SMTP The port a mail server receives mail on and configuring firewalls is a good investment 53 DNS The port your Domain Name Service (DNS) for most electric cooperatives. Electric coopera- listens to for DNS requests tives should consider two firewalls: one to pro- 68 DHCP The port your Dynamic Host Configuration tect the cooperative system from the Internet, Protocol (DHCP) server listens to for handing and one to protect the SCADA system from the out IP addresses and network information cooperative network. These firewalls can be used to create DMZs by installing additional network 79 Finger Used to identify users on your system cards and assigning these network cards a lower 80 HTTP The port Web servers listen to by default priority inside the firewall. As a result, a DMZ 110 POP3 The port a mail server listens to for clients to can be created without purchasing additional pick up mail from equipment. In most firewalls the outside or less 111 RPC Required by network file system (NFS) servers secure interface is assigned a lower priority num- and other RPC-based programs ber, and traffic is denied by default from the 113 Auth. The port the ident server uses when a remote lower security level to the higher security level. host wants to verify that the users are coming Only allow traffic that is absolutely required from the IP they claim to be coming from to flow from the lower or outside interface to 119 NNTP Usenet (newsgroups) the higher interface. Table 3.2 shows traffic that is commonly allowed through each firewall. 137-139 NetBIOS The ports Windows and Samba use for sharing Every electric cooperative’s needs are different drives and printers with other clients but the key is to remember that the more traffic 143 IMAP The port a mail server listens to for clients using allowed in, the less secure the network becomes Internet Message Access Protocol (IMAP) to read from external attack. mail instead of POP3 The “Common Port List” sidebar shows the 443 HTTPS The port Web servers listen to by default for most common ports used for Internet traffic. A SSL-enabled Web activity more comprehensive list of ports can be found 28 – Section 3 3

on the Internet Assigned Number Authority Web codes and inspects the header information of a site (see the sidebar, “Resources: Firewall guid - data packet. This would correspond to the com - ance”). Two other good sites that list IP ports mon protocols of transmission control such as with detailed descriptions are Richard Akerman’s TCP/IP, the Internet Control Message Protocol Web site and the Network ICE Web site. It is im - (ICMP), and User Datagram Protocol (UDP). In portant to note that ports only have to be open this way, all packets that flow through the net - to allow traffic to pass into the firewall from an work are inspected and filtered based on the outside source. IP traffic can pass from the high - common information found in these protocols, er or inside interface to the outside interface such as the source and destination of the pack - even if the incoming port is blocked. ets. While this type of filtering is necessary and One alternative that a smaller electric cooper - very powerful, the application layer—or the pay - ative might consider is outsourcing the most load of the packet—is not inspected. Deep common services that require an electric cooper - packet inspection spends the extra effort to ex - ative to open up its firewall. E-mail, Web, and amine the payloads transported by TCP/IP to FTP service can sometimes be handled by the detect other types of attacks that would not be electric cooperative’s ISP without additional cost. detected by traditional packet filtering. If e-mail, Web, and FTP services are outsourced, To perform deep packet inspection, the fire - then the ports for these services can be closed wall must be designed to understand the particu - on the firewall. lar protocol to inspect. Because so many proto - Firewalls sometimes offer a feature called cols run over a network, it is a monumental task deep packet inspection . Normally a firewall de - for the firewall vendor to provide software that can handle all of them. Thus, in most cases, the Tips and Takeaways firewall will support the most common protocols and default to ordinary packet filtering when en - Firewall configuration: countering a protocol that it does not understand. 1. Use a hardware firewall for maximum protection For this reason, it is important to understand 2. Enable firewall graphical user interface (GUI) to make the kinds of traffic that will be running across configuration easier an electric cooperative’s network. For instance, 3. Deny all traffic entering the firewall by default does the organization have a Web server? Is IM 4. Check and update the firewall’s firmware at least once a year allowed? Does the electric cooperative use/allow 5. Use an external syslog program to monitor firewalls (Kiwi) voice-over-IP? Is it desirable to inspect e-mail at - 6. Perform yearly passive penetration testing (monitoring traffic tachments before they reach the mail server, or outside of the firewall) the contents of compressed files downloaded 7. Apply firewall rules to groups, not to individual IPs from the Internet? By understanding how the network is being used, a firewall can be chosen that will be able to perform deep packet inspec - tion of the protocols most important to the elec - Resources: Firewall Guidance tric cooperative, improving the overall security posture. • Internet Assigned Numbers Authority: www.iana.org • Richard Akerman’s Web site: Network logging www.chebucto.ns.ca/~rakerman/port-table.html An important feature to have on all gateway • Network ICE: devices is logging. Activity logging involves www.iss.net/security_center/advice/Exploits/Ports/default.htm keeping data about the activity that has passed • SANs firewall checklist: through the network. While it is possible to keep www.sans.org/score/checklists/FirewallChecklist.pdf full data about all traffic passing through the • Three Interface Cisco PIX Firewall sample configuration: gateway, storage requirements often limit data www.cianet.com.au/home2.nsf/pages/ciscopix to statistical information and firewall or intrusion alerts. These logs provide important information Protecting Electric Cooperatives’ Business Systems – 29 3

about network performance and can offer valu- recording what sites are viewed by the user able insight when performing incident response. allows for inspection of user browsing habits. Good logging and reporting features should There are services that maintain complex be an important criterion for selecting a firewall. “block and allow” lists for proxy servers. The Centralized logging—that is, sending all log data most commonly used software is the “Squid” to a single server—can provide superior manage- proxy maintained by the open-source communi- ment and the ability to correlate multiple logs to ty. Squid is available free for personal or com- gain a better perspective of the network’s big mercial use. Other services, such as TwoTrees picture. Incident response is also improved when and Wavecrest, specialize in keeping complex using a centralized logging system to build a blocked sites lists for proxy servers. For a large timeline of the events that took place during an organization where access to the Internet needs incident. It is important to choose a system with to be restricted but not entirely blocked, these robust reporting capabilities so that the log data services can save a great deal of time and trouble. can be easily understood and correlated. Access-management packages can also address The most popular logging standard is called bandwidth usage problems by acting as a cache syslog. Syslog is a system for transporting log- for Web sites. Often the same Web sites are ging data over a network by utilizing a dedicat- accessed by many members of an organization. ed server to receive, store, and correlate data When the site is first accessed, the management from numerous network devices, such as switch- system can download a copy of the site from the es, routers, and servers. Numerous options exist Internet and store it locally. When other users for syslog servers. For instance, Kiwi syslog is a later access the same site, the local version is freeware syslog server for Windows that man- provided to the user, alleviating the need to allo- ages data from syslog devices. A powerful fea- cate bandwidth to download the same page again. ture of some tools is anomaly detection. This Pages in the cache are periodically checked to works by monitoring log data over time to de- ensure that the latest version of the page is termine the normal functions of the network. locally available. After this learning period, the system can then Internet monitoring packages can be used to flag deviations in network usage. monitor Internet traffic by users and to create Whatever system is determined to be appro- reports that show the amount of Internet activity priate for the network environment, it is impor- as well as the categories of the sites visited. In- tant to regularly review the log data. By check- stead of blocking Internet sites, electric coopera- ing the data periodically, a network administra- tives might consider using an Internet monitor- tor will become adept at spotting unusual net- ing package. Monthly reports can then be creat- work traffic that can be a precursor to an attack. ed and reviewed by supervisors or IT personnel.

Internet access management Dial-up security Internet access management is the process of Dial-up modems allow employees access to net- controlling the Web sites a user is allowed to works while traveling and provide remote access visit. Most systems that conduct access manage- for equipment suppliers and IT support person- ment are based on a proxy server, which acts nel. Dial-up access is extremely convenient and as a gatekeeper. The three most common ways is increasingly used by electric cooperatives. to articulate control through a Web proxy are: But it also provides a convenient path for (1) to create a list of blocked sites, (2) to create unauthorized users to gain network access. a list of sites users are allowed to visit, and (3) Several strategies can be used to stop unautho- to record which sites users view. Setting a list rized network access through dial-up modems. of blocked sites can be difficult because of the These include password protection, callback sheer volume of content. Maintaining a list of features, secure ID cards, and keeping modems sites that users are allowed to visit is more se- powered-off except when needed. Electric cooper- cure, but can be overly restrictive. Finally, atives should develop guidelines and procedures 30 – Section 3 3

integrating the strategies they deem most effec - media access control [MAC] addresses, typical tive for protecting dial-up access as an integral packet sizes, and so on) to compare against part of their security plan. monitored traffic. This can result in many Electric cooperatives might consider setting false alarms, especially during initial setup. up a VPN instead of using dial-up modems. VPN • Passive IDS. Once suspicious activity is access provides higher bandwidth and more detected, the system creates a log entry and additional security than dial-up modems. If dial- sends an alert. up modems are used on the electric coopera - • Reactive IDS. When unauthorized activity is tive’s SCADA system, it is a good practice to detected, a log entry is created and an alert is leave these modems turned off all the time. At sent. The system will then take predefined locations that have 24-hour system operators, actions against the intruder (for example, the operators can turn the modems on when locking out an IP or MAC address or closing personnel need to dial-in to the SCADA system. down the access point).

Intrusion detection systems Several vendors offer IDSs, including Internet Intrusion detection systems (IDSs) are a popular Security Systems, Symantec, Cisco, Securiant and means of both monitoring and protecting net- SecureWorks, and True Digital Security. Some works. These systems inspect network traffic sell systems directly to customers, while others using intelligent pattern recognition and algo - offer intrusion detection as a service and provide rithms to identify malicious activity. When such continuous monitoring for a monthly or annual activity is detected, the IDS alerts the computer fee. This “managed security” approach is an espe - administrator and/or automatically shuts off ac - cially attractive option for electric cooperatives cess to the affected resource. that may not have the staff or resources to pur - There are two broad classes of intrusion detec - chase and monitor their own equipment. A tion systems: (1) network-based intrusion detec - number of companies provide intrusion detection tion systems (NIDSs), which examine the traffic and monitoring services for electric cooperatives. on a network for signs of intrusion, and (2) host- Other vendors offer decoy systems designed to based intrusion systems (HIDSs), which monitor lure attackers into an area of the system contain - individual machines such as servers and work - ing false data to expose the intrusion. stations. NIDSs can centrally monitor all of the Additional information on IDSs can be ob - computers on a network segment, while HIDSs tained from the above-listed vendors, or by visit - track the activity on an individual computer. In ing the SANS Institute site at www.sans.org . addition, HIDSs can provide more specific infor - This site offers a wealth of information on com- mation about an attack and take defensive ac - puter and Internet security and is a great re - tions, closing off avenues of attack. The com - source for electric cooperatives who want to bined use of both NIDSs and HIDSs offers the learn more about security issues. In addition, the most comprehensive monitoring solution for en - SANS Institute publishes a “Top 20” list, which terprise networks. details the top vulnerabilities on Windows- and There are several different types of IDSs. UNIX-based systems. Aside from the distinction between NIDSs and HIDSs, individual products may contain one or Intrusion prevention systems more of the following types: Intrusion prevention systems (IPSs) extend the functionality of IDSs with real-time response to • Signature based. Detection of attacks is based detected intrusions. They are most commonly on a set of known behaviors or data patterns. connected to firewalls, supporting dynamic net - Few false alarms are reported with this type work traffic control to thwart a detected attack. of IDS. But, as with antivirus software, regular IPSs can be either host based or network based. signature updates are required. In either case, they tend to look deeper at net - • Anomaly based. A baseline of normal network work traffic, often conducting application-level traffic patterns is established (including IP and content (“deep packet”) inspection. Protecting Electric Cooperatives’ Business Systems – 31 3

Resources: Intrusion Detection and Prevention Systems 1. What is the level of firewall integration support? • SANS intrusion detection frequently asked questions (FAQ): 2. What attack, discovery, and detection www.sans.org/resources/idfaq schemes does it use? • Top 20 security vulnerabilities: www.sans.org/top20/?portal= 3. What are its response capabilities? a4f866afeb43c4aa3e75677b23ed87b5 4. What level of expertise/training is required • IPSs: www.sans.org/reading_room/whitepapers/detection/366.php for management? 5. How expressive is its policy description system?

The fundamental protective action of an IPS is WIRELESS NETWORK SECURITY to block traffic that is determined to be part of The primary difference between a wireless and a an ongoing attack. This is effective against a wide wired network is that data travel through air in - range of threats—malicious Web traffic, proto - stead of on a wire. Wireless networks incorpo - col-based attacks, viruses, and more. But IPSs rate “access points” where clients can wirelessly can also offer flow rate-based protective services connect to a wired network. Usually an access and shape network traffic to limit the negative point engages some sort of authentication and effects of DoS attacks. enforces encryption of user connections. A spec - IPSs are powerful and sophisticated tools for trum of wireless network technologies exists, defending your network. As a consequence, it is each with its own distinct profile that varies in important to appreciate the complexities in their range, bandwidth, and expense. deployment and management. If considering an IPS There are several different ways an attacker solution, one should ask the following questions: can exploit a wireless system. One of the more common practices is termed “war driving,” where attackers (usually one driver and another Wireless Security Tips person on a laptop) cruise around scanning for vulnerable wireless networks. War drivers can go Default passwords and settings. Most wireless access points have a as far as to use global positioning system (GPS) default password; changing it is an essential first step in securing an ac - receivers to mark locations where they’ve found cess point. Hackers can easily find factory default password lists on the networks. Internet. It is also advisable to change the range of addresses assigned Once attackers compromise a wireless net - by the access point to more easily identify systems that are connected. work, there are a variety of things that they can Such settings are usually found within the access point or wireless do. Many times, attackers may only be looking router configurations. for convenient Internet access. Although most wireless security intruders are simply “bandwidth MAC filtering. An additional layer of security can be realized by using thieves,” experienced attackers can do far more MAC filtering. A MAC address is a network card’s digital “fingerprint” damage. Once an attacker has access to a wire - and can be used to uniquely identify each wireless card. Most wireless less system, he can compromise any other de - access points allow you to limit access to specific MAC addresses. This vice exposed from that point of intrusion on the way, only the wireless cards you wish to connect to your network will network. be permitted. Electric cooperatives should monitor wireless networks to make sure that personnel do not RADIUS servers. For large wireless networks, consider using Wi-Fi Pro - connect unauthorized wireless devices to the tected Access (WPA) with a RADIUS server. RADIUS allows you to as - electric cooperative corporate or SCADA net - sign usernames and passwords for signing onto a wireless network. work. It is fairly easy for unauthorized personnel Larger organizations that use technologies such as Open Directory and to hook up an unsecured wireless access point Lightweight Directory Access Protocol (LDAP) can tie the RADIUS and discover a direct path into the cooperative’s server into those systems and use the accounts already in place for net - network. For additional information, visit Mi - work authentication. crosoft TechNet for a guide to wireless security. 32 – Section 3 3

Wired equivalent privacy tools can break this kind of encryption in under Unsecured wireless networks pose an enormous five minutes. Newer encryption algorithms, called security risk. Without the use of encryption, data WPA and WPA2, are being implemented within is transmitted in plain text and can be intercepted 802.11g and 802.11n. WPA encryption is current - by anyone within range of the wireless access ly sufficient for day-to-day use, but it was only point. Using a large antenna, an attacker could designed to provide as much protection as a intercept data being transmitted on a network at physical wire. Thus, any vital information should a distance of a mile or more. Thus, all wireless be encrypted again (superencrypted) using network communications should be secured stronger protection. with encryption whenever possible. Encryption has been a standard offering in Safeguarding Bluetooth wireless networks since the adoption of the Bluetooth technology allows the wireless con - 802.11b specification Wired Equivalent Privacy nection of devices via short-range radio frequen - (WEP) encryption. But WEP relies on a rather cies (RF). Bluetooth can be used on a variety of weak encryption algorithm and was poorly im - devices such as digital cameras, printers, scanners, plemented—experienced attackers with the right cell phones, personal digital assistants (PDAs), laptops, keyboards, mice, headsets, GPS naviga - tion receivers, and many more. Bluetooth Hazards Bluetooth’s wireless frequency domain occu - pies an unlicensed portion of the Industrial, Sci - Bluebugging. This attack allows hackers to eavesdrop on phone con - entific, and Medical (ISM) band from 2.4 GHz to versations, place phone calls, send and receive text messages, and even 2.485 GHz, allowing Bluetooth-enabled devices connect to the Internet. Substantial effort is needed to carry out this to interconnect. It borrows many features from type of attack, rendering Bluebugging a less likely threat than other existing wireless standards such as the Institute types of attacks. of Electrical and Electronics Engineers (IEEE) 802.11, Infrared Data Association (IrDA), Digital Bluesnarfing. Here, an attacker gains access to a Bluetooth-enabled Enhanced Cordless Telecommunications (DECT), device to steal user-stored information or even the device’s Interna - and TCP/IP. As a consequence, Bluetooth inher - tional Mobile Equipment Identity (IMEI), which allows the attacker to its a variety of capabilities, such as voice data reroute incoming calls. Simple protective measures, such as setting the transmission, local area network (LAN) capabili - device to “nondiscoverable” mode, are effective at deterring this kind ties, privacy, and authentication, but it also en - of attack. cumbers numerous vulnerabilities. Known threats to Bluetooth networks range Bluejacking. These attacks send unsolicited messages to Bluetooth-en - from nuisances to more serious attacks. A DoS abled devices. The attacker must be within 10 meters of the Bluetooth attack on a Bluetooth network sends signals on user. The easiest ways to counteract this type of attack are to delete the the same RF frequency as the target device, pre - wireless business card, not add the message sender to the contact list, venting or reducing its connective capability. Al - and set the Bluetooth device to nondiscoverable mode. though this attack can impair business, it poses little threat to data security. A simple Bluetooth DoS countermeasure is to move to another loca - tion. Other forms of Bluetooth attacks are Blue - Tips and Takeaways bugging, Bluesnarfing, and Bluejacking. These attacks are described in the sidebar “Bluetooth • Create a network architecture that defines “zones” for IT assets that Hazards.” share common functional and security requirements. There are a variety of methods for securing • Define a network services security policy to guide firewall Bluetooth devices. First, providing the users with implementation, and not the other way around. devices or a list of authorized devices can help • Superencrypt wireless network traffic. achieve a baseline set of security standards. Audit trails and inventory lists can help ensure Protecting Electric Cooperatives’ Business Systems – 33 3

that use patterns and the number of devices in gaging a separate authorization system to track service are known. Authenticating and authoriz- user-data accesses also contribute to safe use of ing users upon connection initialization, and en- Bluetooth devices.

Protecting Security issues exist at every level of any infor- perimeter firewall may be a serious threat to the Information mation system—from hardware on up to appli- application. Services cations. Security technologies and solutions are Attackers exploiting vulnerabilities in Web ap- usually geared toward protecting one level of plications can perform several types of attacks the system. For example, a simple packet filter- once a system has been penetrated. One of the ing firewall may block what it recognizes as most common attacks on Web-enabled databases “bad” packets, but cannot detect attacks that ap- themselves is SQL Injection. Using the SQL data- pear benign at the network level but—in the base language, malicious code is inserted into context of application workflow—are malicious. the database and used to gain access and corrupt This section explores two emerging categories the information within. Some databases are not of information services for the electric coopera- designed for access via the Internet, but many tive: Web applications and IM. provide a programming interface and open ports to support database-enabled Web applications. WEB-APPLICATION SECURITY One of the unanticipated consequences of this is Web-application security is an important com- that search engine spiders and robots may ulti- plement to network security. Not only should mately locate and map these services into their security controls—such as authentication, traffic search index, revealing an access path to the monitoring, and filtering—be in place at the net- public. For example, by using Internet search work level, but application-level controls should engines such as Google, it is possible to locate be used as well. Application-level security con- any Internet facing database running iSQLPlus. trols use a deeper understanding of traffic con- Most databases come with multiple default tent in the context of target applications to user accounts with default passwords, which are prevent attacks on information services. What well known and can be used by attackers to gain looks like an innocent database query to a access. Other unpatched security vulnerabilities are likely to exist. Using the privileges given to the database by the operating system, system Common Web Application Attack Scenarios commands can be executed allowing the at- tacker expanded system access. Privilege escalation. The attacker escalates her user privileges to a higher degree, such as the upgrade of a Windows system account from INSTANT MESSAGING SECURITY “user” to “administrator.” This provides her with the ability to load and IM over the Internet is a simple and useful text run potentially malicious programs. communications service. Yet it introduces a sur- prising number of management complications Data manipulation. An attacker changes information within a Web site, and security risks. IM applications often require typically through the manipulation of hidden data fields. By an attack that data flow through firewalls in such a man- on data integrity, a cyber criminal could, for instance, change pricing ner that unauthorized network traffic also can data that would allow him to purchase an item for $5 instead of $5,000. pass through the firewall. Cross-site scripting. The attacker will disguise data within a seemingly The first step in securing IM is to determine if legitimate Web site address, which can be sent to the user in an offi- any IM applications are currently in use for busi- cial-looking e-mail. When clicked, the user will be directed to the at- ness purposes. Check with electric cooperative tacker site, where private information can be obtained or malware staff members and vendors. IM may be used as downloaded. part of a business application system, or as a method of communicating with a vendor’s product support organization. 34 – Section 3 3

Tips and Takeaways If there are no legitimate business needs for IM, simply change firewall settings to block all • Evaluate specific application-level security risks and hazards that IM traffic. If there are legitimate business needs, would not be mitigated by network- or host-centric controls. take steps to: • Ensure that Web-enabled database systems are regularly patched and make full use of access control protection. • Prevent internal staff from using IM applica- • Evaluate the role of IM in electric cooperatives and limit IM use tions that they have not been specifically where possible. authorized to use. • Consider using an IM solution that is internal to the cooperative’s • Block potentially malicious IM messages that network and block IM traffic from entering or leaving the network, contain viruses or are part of an IM-based for instance Srimax Software’s Outlook Messenger. DoS attack. • Log information about any IMs that have been blocked and produce appropriate activity reports. Resources: Security for Instant Messaging and Other Wireless • Limit use of IM to messaging within the electric Technologies cooperative’s network while preventing IM messages from entering or leaving the network. • A guide to wireless security: www.microsoft.com/technet/ technetmag/issues/2005/11/SecurityWatch/default.aspx Software tools such as IM Guardian from • Instant insecurity: www.securityfocus.com/infocus/1657 FaceTime Communications (www.facetime.com) • Securing IM: http://securityresponse.symantec.com/avcenter/ are available to perform these IM-blocking func- reference/secure.instant.messaging.pdf tions. In addition, firewall software frequently • Internal IM: http://lan-chat.srimax.com comes with capabilities needed to secure IM. Protecting Electric Distribution Control Systems – 35

Protecting Electric Distribution Control 4 Systems

In This Section: SCADA Systems Attacks on SCADA Systems Security for SCADA Systems Security Questions and Recommendations for SCADA Systems

While servers and workstations are key business control systems in electric cooperative computer tools for managing data and providing customer networks all increase the risk of attacks on utili - service to members, electric cooperatives also ty power systems. use computer systems for operation and control The protection of SCADA networks, which of their electric transmission, distribution, and comprise electric distribution control systems, is generation systems. Electric cooperatives face an therefore a primary concern of the modern elec - increased likelihood of computer-based attacks tric cooperative. While the fundamental principles against utility substations, which could cause of information security remain in play for secur - power outages and damage equipment. The ing SCADA networks, the implementation details specter of cyber terrorism, instability in utility job and solution space are remarkably different. markets, and growing use of computer-based

SCADA Systems SCADA systems provide real-time control and Control system computers and other devices monitoring of electric distribution systems. Ac - (remote terminal units, programmable logic con - cording to IEEE Standard 1402-2000, Guide for trollers, and so on) now use Ethernet ports, Electric Power Substation Physical and Electron - wireless devices, dial-up modems, and other re - ic Security , “the introduction of computer sys - mote access techniques to facilitate maintenance tems with online access to substation informa - and enable sharing of data across multiple net - tion is significant in that substation relay protec - works. Software used by SCADA and EMS to tion, control, and data collection systems may be control and monitor these devices may not have exposed to the same vulnerabilities as all other adequate safeguards built in to effectively pre - computer systems. As the use of computers vent security breaches. As a result, control sys - within the substation environment increases, the tems are now more vulnerable to hackers and need for security systems to prevent electronic cyber terrorists. The consequences of an attack intrusions may become even more important.” could be major outages or even loss of life. 36 – Section 4 4

Having an accurate time source is critical on time estimates from multiple satellite atomic SCADA systems. System time affects several im - clocks to provide accurate time. GPS clocks can portant factors associated with SCADA systems, be connected serially to one server on the including SCADA alarms, security alarms, and SCADA system. Time can then be synchronized event data. SCADA control execution and valid via a variety of methods to all the other servers, control operation time frames are all driven off workstations, and remote terminal units (RTUs) of the system time. As a consequence, the in - on the SCADA system. Network Time Protocol tegrity of the time source and synchronization (NTP) is commonly used to synchronize clocks process are of extreme importance. from the time source to other devices within a One possible solution for time synchronization SCADA TCP/IP network. is a GPS or satellite clock. GPS clocks combine

Attacks on Many SCADA systems have remote-access capa - result, it is important to protect SCADA systems SCADA Systems bilities or individual substation components that from disgruntled employees, suppliers, contrac - are vulnerable. In addition, SCADA systems are tors, and consultants as well as external attackers. now tied into electric cooperative networks, and The blue arrows in Figure 4.1 identify potential through the electric cooperative network into points of entry on SCADA systems for attackers. the Internet. This increased connectivity means These are focused on workstations and terminals that anyone on the Internet could gain privileged on each segment of the electric cooperative’s access to a SCADA system unless safeguards are network, as well as internal and external network put in place. junction points. Attacks on utility control systems can come Table 4.1 describes common vulnerabilities from both internal and external sources. As a discovered by the Department of Energy (DOE)

Internet Corporate Network SCADA Network

Workstations Workstations Workstations Web EMS SCADA Servers Databases Modem Bank

Router Modem

Communications: TCP/IP wireless, dialup, leased line Workstations RTU Workstations SOL DCS Historian IIED

FIGURE 4.1: SCADA System Attack Entry Points. Protecting Electric Distribution Control Systems – 37 4

TABLE 4.1: SCADA Vulnerabilities as Reported by the DOE.

Category Description Clear text communications Clear text (unencrypted) communications—observed in network traffic—revealed user names and passwords. In some cases, clear text communications were observed between the control system network and external corporate network. Account management Weak passwords discovered on privileged accounts. Hard-coded usernames and passwords found in documentation or extracted from binary executables or configuration files. Poor password-protection policies contributed to this problem. Weak Authentication Little or no authentication of host-to-host communications increasing vulnerability to impersonation, replay, and man-in-the-middle attacks. Coding practices Poor string handling and buffer management in application software, making them vulnerable to subversion by malicious input. Unused services Services with known vulnerabilities running on hosts; need for the service was not apparent in the system architecture. Network addressing Network address resolution protocols (DNS, address resolution protocol [ARP], and so on) were exploitable by spoofing or other bypassing schemes. Scripting/interface Batch files and other script files (Perl and so on) exploitable with malicious input or Programming other techniques. Unpatched Components Old versions of software modules containing known vulnerabilities. Web Servers and Clients Web servers not securely configured, allowing directory traversal and file modification. Perimeter protection Connections initiated from outside the SCADA perimeter; firewalls poorly configured. Enumeration Web servers and other network services revealing version and other information of use to an attacker.

Source: Department of Energy. as a result of a 2006 study of 10 separate cyber- • Use the SCADA system as a potential back - security vulnerability assessments performed on door into the electric cooperative network process control, SCADA, and EMS. and gain access to customer credit and per - Documented electronic intrusions into utility sonal identification information. control systems to this point are rare. Still, there is • Change protective device settings or disable heightened awareness of the need for security due the accessed device. to the potential damage that could result from such • Gain information on other substation attacks. Moreover, the expectation is that attacks informa tion stored within the network for on these systems will become more frequent. future attacks. By gaining access to a substation control panel or protective system, an intruder could Electric cooperatives have a responsibility to potentially: ensure that utility distribution and control sys- tems have both physical and electronic protec - • Shut down the substation or some portion of tion measures in place. The risks are too great it, depending on which device was accessed. for electric cooperatives to be complacent when • Steal or alter metering data gathered by the it comes to substation security. SCADA system. 38 – Section 4 4

Security for The mission criticality and time-sensitivity of physical step before inbound connections are SCADA Systems SCADA systems induce unique security require - made active, such as power time devices, pro - ments. SCADA systems require more stringent vides an additional layer of security. control of external connections, even while ac - Monitoring services for inbound and outbound cessibility and functionality demands increas - SCADA network connections offer a complete ingly dictate greater remote access. The special picture of the network’s communications topol - nature of SCADA system applications means that ogy. Such as any network, SCADA networks are great care must be taken in configuring them for only as secure as the weakest access point in the security. In terms of system maintenance, net - system. Improving the security at each entry working limitations severely constrain options point will yield stronger perimeter security. for patch management. Separate workstations should be installed that are dedicated to the SCADA system. Using the same PROTECTING EXTERNAL CONNECTIONS workstation for SCADA information and general Each and every connection to a SCADA network network access is not a good security practice— introduces additional security risks, particularly violating the principle of least common mechanism. those engaging routable protocols such as TCP/IP. System operators and support personnel should But strategies can be employed to secure these have two workstations: one for SCADA access and access points, including the placement of firewalls one for general Internet and corporate access. between SCADA systems and external connec - The following sidebar provides recommended tions. If firewalls are not technically or economi - guidelines for allowing outside access into the cally viable, then router access lists should be control network. These guidelines focus on two activated on all routable devices and only neces - basic connection methods: use of a dial-up sary traffic should be allowed. Regardless, the modem and connectivity through the Internet. solutions adopted must be guided by an explicit Following these suggestions will result in better and coherent SCADA network security policy. protection for SCADA network connections. Minimizing risks from connections such as dial-up modems can be achieved by using strong SCADA SYSTEM APPLICATION SECURITY authentication and/or callback-type systems. The Such as any application platform, SCADA sys - use of strong encryption and access control can tems support execution environments for pro - help prevent wireless devices from directly at - grams that are required for operation or fulfill - tacking a SCADA network. The insertion of a ment of an enterprise mission. The applications

Guidelines for Controlling External Connections

• Only grant access to those vendors who • Use a secure VPN when connecting through have a legitimate business need. the Internet. • Limit the number of third-party vendor • Use software-based firewalls on SCADA accounts, and eliminate multiple accounts operator’s consoles. for a single vendor if possible. • Ensure that detailed audit logs are enabled • Use strong authentication (for example, at both the dial-up and Internet-accessible strong passwords) when creating accounts. entry points and that the logs are monitored. • Limit the number of people within your • Have third-party vendors inform designated organization who have knowledge of personnel when accessing the control net - access accounts. work. • When connecting through a dial-up connec - • Document all access to the control network tion, keep numbers private and use a and any changes within the network. callback authentication process. • Apply least privilege concepts to all devices. Protecting Electric Distribution Control Systems – 39 4

that run on SCADA systems can likewise be used • If appropriate, consider using a single sign-on or abused for nefarious ends. This section dis - configuration to link the database log-in with cusses various strategies for hardening SCADA the network log-in. This will prevent users system applications and preserving their security. from having a separate log-in ID for database SCADA applications usually require multiple access. log-ins (first to the network and then to the ap - plication itself). One possible solution for over - Instead of allowing external access to the coming the complexity of multiple log-ins is to SCADA system to view long-term SCADA data, support a Single Sign-On (SSO) by tying the rights consider moving the SQL data outside the SCADA of the network log-in into the SCADA system. A system. Moving the data can be accomplished by SSO can be created by setting up the SCADA using the following methods: system to use Active Directory. A SSO eliminates one level of security but this is balanced out by • Place the SCADA SQL server in a DMZ zone the increased usability (and psychological ac - between the SCADA network and other net - ceptability) of the system from the user’s per - works where the data is required. spective. In either case, it is vital to ensure users • Replicate SCADA database information to a have unique network and application log-in IDs. separate SQL server located outside the A SSO approach should only be considered if SCADA firewall. the SCADA application security features de - scribed in the next section are also enabled. SCADA SYSTEM PATCH MANAGEMENT Many SCADA systems have powerful built-in Software patching on SCADA systems can be application security features. The ability to pro - far more complicated than patching on normal tect data and authenticate communications at the systems. For one thing, many SCADA systems application level offers an added layer of security require 24-hour uptime. In addition, many beyond the controls present on the SCADA net - SCADA systems do not have access to network work. These application-level security features update sites. Thus, applying automatic update should be used in accordance with the principle strategies may not be practical. But alternative of least privilege. solutions can be used to address SCADA system Many SCADA system applications use SQL patching needs. databases such as Oracle or MSSQL Server for long-term storage of SCADA information. Internal • SCADA vendors can provide security patch users as well as personnel outside the SCADA review information to customers. The vendor network may require to access this information. will review and test security patches before Several steps should be taken to preserve the se - recommending their installation. curity of the SCADA database and support ac - • Patch-management software can offer selec - cess to long-term SCADA data: tive control of the patching process. In addition, patch updates can be downloaded • Remove unnecessary and default user to a file location instead of directly installed accounts from the SQL database. from the Internet. • Change all default passwords. • SCADA systems can be purchased with a • Change passwords periodically. development or test server. Patches can be • Review and change the permissions of ven - installed on this test system first to make sure dor-created SQL user IDs. Create read-only the patch will not affect the real-time opera - users for reporting purposes. Limit the rights tion of the SCADA system. of all other users to only the rights that are • SCADA systems usually contain redundant required. servers. Electric cooperatives can patch one • Use the administrator account only when per - server and fall back to the unpatched server if forming system administration functions. Use problems occur with the patch. a separate log-in for normal operation. 40 – Section 4 4

Security SCADA vendors are becoming more aware considering a new SCADA system. Questions and of the need for security “out of the box.” But A summary of recommendations for securing Recommendations many SCADA systems are still behind in these systems is given in the sidebar “Tips for for SCADA implementing standard security practices into Securing SCADA Systems.” Electric cooperatives Systems the default system configuration. The sidebar, would be prudent to review these recommenda- “SCADA Security Questions,” lists security- tions and take the required actions to implement related questions that should be asked when all applicable measures.

SCADA Security Questions

• Has the SCADA system been submitted for installs this software, does it affect the ven - an external security review? If so, can infor - dor’s support of the SCADA system? mation about this review be provided? • Can individual SCADA log-ins or database • Does the SCADA system have any passwords log-ins be linked to Active Directory or LDAP listed in clear text files? If so when will these for a single sign-on approach? passwords be removed? • Does the SCADA system come with a GPS • Can default user names and passwords be satellite time source? changed? If so, can this change be done on • Does the SCADA system come with a devel - installation? opment server licensing included in the price? • Does the vendor do background checks on • Does the SCADA system come with backup support personnel who will have access to control center licensing included in the price? the electric cooperative’s SCADA system? • Will the SCADA vendor provide support on • Will the vendor allow for virus scan, patch - configuring the firewall and other routing ing, and imaging software to be installed on devices to ensure network security? the SCADA system? If the electric cooperative

Tips for Securing SCADA Systems

• Use passwords, personal identification num - • Terminate interactive sessions after periods bers (PINs), and other modes of user of inactivity and ensure that open ports are authentication to guard against unauthorized properly closed so the next user does not access to SCADA systems. inherit unauthorized access privileges. • Match the strength of authentication to • Limit the number of failed attempts to enter the criticality of the system. Multifactor a password; disconnect and time-out the authentication may be appropriate for communications line after a set limit. SCADA systems. • Log alarms and suspicious activity (for exam - • Offer regular security awareness training and ple, failed password attempts) in nonvolatile monitor participation and compliance. storage. Scan audit logs and files regularly. • Issue alarm contacts for access, password, • Only allow outside network access to the and settings events. Monitor alarms for intru - SCADA system through a firewall and always sion detection and to verify device functionali - question when opening a port to an outside ty. Automate alarm responses with prepro - network. grammed disconnects, autodial warnings, • Use private communications lines to limit and metered audio/visual alarms. eavesdropping and intrusions. Use encryp - tion when communicating over public lines.

Continued Protecting Electric Distribution Control Systems – 41 4

Tips for Securing SCADA Systems (cont.)

• Implement access hierarchies with different • Keep communications systems design and levels of permission for viewing and setting network access information private. devices. • Use “warning banners” to discourage elec - • Use segmented network topologies and/or tronic intrusions. star topologies to increase survivability and • Use secure dial-back, encrypting, or authenti - avoid “one down, all down” vulnerabilities. cating modems or modem-keys. • Secure SCADA and IT systems with virus • Never give out the phone numbers to scanners, firewalls, and intrusion detection SCADA devices. systems. • Take advantage of free XP or Vista-based • When communicating over the Internet, use firewalls. VPN or PKI technology to authenticate part - ners and secure data packets.

Resources: SCADA Security

• U.S. DOE lessons learned from cyber-security assessments of SCADA and EMS: www.oe.energy.gov/DocumentsandMedia/Composite_ Report_1-22-07.pdf • Sandia National Laboratories SCADA report: www.sandia.gov/scada/ documents/020729.pdf • Multi-state Information Sharing and Analysis Center (MS-ISAC) cyber- security procurement language for control systems: www.msisac.org/ scada/documents/12July07_SCADA_procurement.pdf • John H. Saunders control systems and SCADA security: www. johnsaunders.com/papers/Control%20Systems%20&%20 SCADA%20Paper.htm • SCADA/business network separation—securing an integrated SCADA system: www.automation.com/sitepages/pid1363.php

Roadmap: Cyber-Security Framework and Standards – 43

Roadmap: Cyber-Security 5 Framework and Standards

In This Section: Critical Infrastructure Protection INFOSEC Guidelines for the Utility Industry Cyber-Security Framework

Electric cooperatives do not run normal net- An appreciation of the fundamental principles works. They are burdened with unusual avail- of information security provides a grounding in ability and integrity demands, and must be the techniques used to protect information systems. governed by special standards that reflect An awareness of the technologies and tactics used their position as a critical infrastructure. In by information security professionals can deliver short, the computers and networks that con- some insight into the nature of a network’s secu- trol electric utility systems require a security rity architecture. But a robust cyber-security pro- architecture that creates a high level of assur- gram is more than a collection of techniques and ance and confidence in their performance and technologies thrown together in defense of a security. This cannot be achieved without the network. Such a program must bind these ele- systematic implementation of a well-conceived ments into a cohesive and self-sustaining frame- plan within a comprehensive cyber-security work that connects technical, operational, and program. managerial controls in a meaningful way.

Critical Critical infrastructures are those large-scale sys- The special nature of critical infrastructures has Infrastructure tems that support essential human services. These a profound effect on the security requirements of Protection include electric power, transportation, water, the networks and information systems that man- telecommunications, and other core functions of age them. Many of these networks are geograph- society. One hallmark of critical infrastructures is ically distributed over a wide area (globally, in cross-dependencies. For example, telecommuni- some cases). Many of the information systems have cations depend directly on electrical power, and extremely sensitive tolerances for timely data pro- to a large extent the converse is true. Thus, the cessing and communications. And in as much as disruption of one critical infrastructure often has these information systems keep the lights on, the implications for others, creating a domino effect water running, and planes in the air, confidence of system failures. As critical infrastructures be- in the security of these systems is at a premium. come increasingly reliant on IT, cyber security The implementation of the critical infrastruc- becomes a more significant concern. ture protection (CIP) cyber-security standards is 44 – Section 5 5

necessary for the protection of cyber assets in out if the CIP standards apply and at what level. the bulk electric system. The risks of failing to The following are sources that a cooperative can implement the CIP standards are twofold. Since contact to help determine if CIP applies. most of the nation’s infrastructures run on the 1. Contact the NERC directly (www.nerc.com). power supplied by the bulk electric system, the 2. Distribution cooperatives can contact nation could easily come to a grinding halt should their G&T power supplier. this system fail. Although cyber-security incidents 3. Contact the reliability organization related to distribution centers create localized responsible for the cooperative’s area. problems, even greater effects could be seen if the bulk electric system were compromised due The CIP standards are based on best security to cyber incidents. The second reason for imple- practices. As a result, even electric cooperatives mentation of the CIP standards is that of govern- that have no critical cyber assets under CIP-002 ment compliance. The U.S. DOE has endowed might consider using the CIP standards as guide- the North American Electric Reliability Corpora- lines to secure information systems. Implement- tion (NERC), which has close relations with the ing CIP standards, even when not required, has Department of Homeland Security (DHS), with the following advantages. the authority to coordinate the protection of the electricity sector. Noncompliance with the CIP • If a cyber asset is deemed critical in the standards could lead to fines and other sanctions. future, the electric cooperative’s systems are Very few distribution cooperatives meet the already CIP compliant. qualifications to fall under the NERC’s jurisdic- • CIP compliance can be a long and complex tion. As a result, the CIP standards are more of a process; working toward compliance in concern to generation and transmission (G&T) advance makes sense for most electric cooperatives. In addition, many G&T coopera- cooperatives. tives might not have assets that are large enough • Following the CIP standards makes an electric to affect the bulk electrical system as defined by cooperative’s system resistant to both internal the CIP standards. But many factors must be and external cyber attacks. considered to determine if a specific cooperative falls under the NERC’s jurisdiction. The best pol- While compliance with the CIP standards may icy is for the cooperative to seek help to find not be easy to achieve, the combination of inter- nal planning, NERC-sponsored training and au- diting, and external contractors can help make Resources: Managing CIP Compliance the transition successful. The following “Tips and Takeaways” provides • CIP FAQ: www.midwestreliability.org/Compliance/2007/ links to services that electric cooperatives might Seminar%20May%202007/CIP-002-009_FAQs_11Jan06.pdf • Network and security technologies NERC whitepaper: use to manage CIP compliance. Appendix A contains a more detailed description of each of www.netsectech.com/press/whitepapers/NERC%20CIP%20 the CIP-002–009 standards. Compliance.pdf • Effective practices for security distributed control systems in power generation facilities: http://eval.symantec.com/mktginfo/ Tips and Takeaways enterprise/white_papers/ent-whitepaper_effective_practices_for_ securing_distributed_control_08-2006.en-us.pdf • Review CIP standards for applicability to • NERC/CIP compliance—headache or opportunity: www.garrettcom. your cooperative. com/nerc_cip_opportunity.htm • Consider adopting some standards • Achieving NERC/CIP compliance with managed security services: elements as best practices for security and www.secureworks.com/assets/print/brochure_nerc.pdf “get ahead of the curve.” • Dealing with NERC/CIP standards—a new ballgame: http:// • Cooperatives can schedule modest cost download.microsoft.com/download/1/2/6/12682168-0a60-45fb- audits with NERC. These audits provide a 9d44-c8919d0444fd/NERC%20Compliance%20White%20Paper.pdf means of certifying NERC compliance. Roadmap: Cyber-Security Framework and Standards – 45 5

INFOSEC Information security standards and requirements provide network security to the bulk power sys- Guidelines for are still under development for the utilities in- tem. These standards are called the critical infra- the Utility dustry. The NERC has developed cyber-security structure protection standards (CIP-002–009) and Industry standards CIP-002 through 009, which assist in are an upgrade and replacement to the old “Ur- developing a comprehensive cyber-asset-protec- gent Action Standard 1200—Cyber Security” stan- tion program that supports the reliable and se- dards. CIP standards include random checks and cure operation of the bulk power system, as financial penalties for noncompliance of up to well as incident response. $1,000,000 a day. The current planned CIP com- The Rural Utility Service (RUS) amendment to pliance date is 2010. This compliance includes 7 Code of Federal Regulations (CFR) Part 1730 the accumulation of one year of log data. in October 2004 requires that, “each borrower Electric cooperatives should review the CIP complete a vulnerability and risk assessment standards as soon as possible, both because of (VRA) of its entire business (physical and cyber) the complexity of the implementation and the and utilize the results of that assessment to cre- penalties for noncompliance. Electric cooperatives ate and maintain an ERP (Emergency Response should consider appointing senior management Plan).” RUS documentation underscores the personnel specifically to oversee the review and need for securing telecommunications, com- implementation of the CIP standards. Several of puter, and SCADA networks. the CIP standards require senior management Because of the differences among electric co- approval and oversight purposes. Electric cooper- operative systems, a “one size fits all” approach atives should consider the creation of an internal to security is neither viable nor provided for by CIP team to study and assure CIP compliance. the RUS. Yet some fundamental best practices Such a team, under the supervision of the ap- remain constant. For example, given that new pointed senior manager, could provide the lead- network threats and vulnerabilities appear on a ership and guidance needed to ensure that prop- daily basis, regular vulnerability analysis and er procedures and policies are created and fol- penetration testing are staples of any network lowed by other employees. The CIP compliance security plan. Unless vulnerabilities are discov- team could easily be composed of security and ered and remediated in the electric cooperative’s response team personnel, as well as department electrical information systems, there exists the supervisors. The creation of a diverse team of real potential for an attack on the network to personnel would ensure all areas of the compa- cause disruption of power to customers. ny are monitored for compliance. The Energy Policy Act of 2005 (EPACT) ex- One of the most challenging tasks for electric panded the FERC’s authority to impose manda- cooperatives is developing and conducting the tory reliability standards on the bulk transmis- risk-based assessment to identify what critical as- sion system and to impose penalties on entities sets owned by the electric cooperative affect the that manipulate electricity. On July 20, 2006, bulk power system. The NERC defines the bulk FERC issued an order certifying NERC as the power system as “The electrical generation re- Electric Reliability Organization (ERO) for the sources, transmission lines, interconnections United States. Prior to being the national ERO, with neighboring systems, and associated equip- the NERC’s guidelines for power system opera- ment, generally operated at voltages of 100 kV tion and accreditation were referred to as poli- or higher. Radial transmission facilities serving cies, for which compliance was strongly encour- only load with one transmission source are gen- aged yet ultimately voluntary. As the national erally not included.” As a result, not all electric ERO, the NERC has revised its policies into stan- cooperative’s power assets are part of the bulk dards, and now has the authority to enforce those power system. In addition, only critical assets fall standards on power system entities operating in under the CIP standards. The NERC defines a the United States by way of significant financial critical asset as “Facilities, systems and equip- penalties for noncompliance. ment which, if destroyed, degraded, or otherwise The NERC has created a set of standards to rendered unavailable, would affect the reliability 46 – Section 5 5

or operability of the Bulk Electric System.” mining critical assets and critical cyber assets. The NERC defines cyber assets as “program- Each electric cooperative should consider mable electronic devices and communication all asset locations. The major interconnections networks including hardware, software and and reliability councils who cover the assets data.” Furthermore, the NERC states that “Cyber location may have additional documents and assets are essential to the reliable operation of recommendations on the CIP standards. Case the critical asset.” As a result, some electric co- Study 5.1 shows an example of the Electric operatives might not have critical cyber assets. Reliability Council of Texas (ERCOT) Indepen- CIP-002 provides some guidelines on how to dent System Operator (ISO) providing additional determine if a cyber asset is critical. The NERC CIP clarification on determining critical assets in FAQ also covers additional information on deter- ERCOT’s control area.

Case Study 5.1: ERCOT ISO Critical Asset Information

ERCOT Critical Infrastructure Protection Advi- I Nuclear plants

sory Group (CIPAG) has developed critical cri- I Units or plants that qualify for “Black teria that are available on the ERCOT Web site, Start” titled “Draft ERCOT CIPAG Critical Criteria,” at: • Transmission

www.ercot.com/meetings/other/keydocs/ I “Black Start” transmission paths 2007/0514-CIPAG/CIPAG_Critical_Criteria.doc – Includes any stations along path

These criteria were used to determine what I Stations that would take out of ERCOT considers critical assets in the ERCOT service the following system. At this time, entities may choose to – “Must Run” units adopt these criteria to develop their risk-based – 1,150 MW or more of generation

methodology or they may develop their own I Stations identified in annual transient risk-based methodology. ERCOT Compliance/ stability and voltage surveys Texas Regional Entity (TRE) does not encour- – Logical boundaries from study age or discourage the use of these criteria. – Consideration of operational cases

Again, each company can choose whether to I Substations with greater than or adopt these criteria as their own. The follow- equal to 300 MW of load ing criteria were developed by ERCOT ISO • Control centers

and not ERCOT Compliance/TRE. I Controlling “Black Start” transmission paths

• Generation I Controlling stations that would take out

I Units or plants that qualify for “Must Run” of service

I Includes any unit causing small overloads – “Must Run” units or area voltage concerns – 1,150 MW or more of generation

I Plants greater than or equal to I Controlling substations with greater 1,500 MW total capability than or equal to 300 MW of load

Source: ERCOT ISO. Roadmap: Cyber-Security Framework and Standards – 47 5

Cyber-Security In 2005 Congress received a report outlining the core elements comprising a robust IT security Framework need for a cyber-security framework and several program. These core elements include: suggested models. The Congressional Research Service (CRS) determined that a cyber-security 1. IT security personnel and staffing framework would invariably require a combina- 2. Budgetary commitment for IT security tion of methods to ensure adequate guidance for 3. Comprehensive IT security policies industries. The sidebar “Cyber-Security Frame- 4. Information security strategy and plan work Elements” lists the individual methods that, 5. Commitment to IT security education when combined, could create an adequate and training and awareness useful cyber-security framework. CRS determined that one method alone could A mature information security program impacts not adequately create a cyber-security framework organizational preparedness for natural and to guide critical industries in securing their cyber manmade disasters, in addition to cyber attacks. assets. But combining multiple elements both encourages industries to adopt secure practices THE ROLE OF ASSESSMENTS and guides the adoption of those practices. Security assessment and audit are the two most Though government standards, in the form of commonly neglected elements in an information legislation, would likely incur resistance and security strategy. The irony is that these two prove unenforceable, a combination of standards, processes drive and motivate every decision economic incentives, benchmarks, checklists, made and action taken in a mature security pro- and auditing could lead to a viable framework gram. Security policies are defined to address while avoiding industry resistance. In keeping needs identified through assessment while con- with the recommendations of CRS, the NERC is- trols are implemented to meet specific require- sued cyber-security standards for the bulk pow- ments influenced by the design of targeted er system in North America. security audits.

IT SECURITY PROGRAM PLANNING Cyber-security assessments Sustainable success in information security re- Cyber-security assessments begin with a funda- quires developing an that mental understanding of system mission and as- appreciates the value of information and the sets and culminate in a sense of an information role of IT in fulfilling organizational mission. system’s security risk posture. Risk assessment is Developing such a culture requires a dedicated driven by enterprise security requirements, threat effort from management to bring together the profiling, and existing or proposed security con- trols. A risk assessment will guide the strategic development of countermeasures and controls. Cyber-Security Framework Elements There are various types of security assess- ments, some of which require the use of outside 1. Government/industry standards resources due to their highly specialized nature. 2. Certification Electric cooperatives must decide on the level of 3. Best practices investment and detail for the assessment. The 4. Guidelines potential benefit of using a consultant should be 5. Benchmarks and checklists determined by the scope and complexity of the 6. Auditing assessment and by the experience level of the 7. Training and education electric cooperative staff. 8. Enterprise architecture 9. Security audits 10. Metrics Security audits are conducted for a variety of 11. Economic incentives reasons. Some are integral to the risk-assessment process. Some are conducted as part of a periodic 48 – Section 5 5

review. Still others are motivated by compliance security audits are a vital part of an information and regulatory standards. No matter the motivation, security program.

Types of Security Audits

1. Security policy and procedure audit. The purpose of not ensure that business partners, vendors, or authorized this audit is to ensure that appropriate security-related employee equipment such as cell phones and PDAs are policies, procedures, processes, and monitoring are in not vulnerable. The optimal role of this kind of audit is place. Of primary concern is the comprehensive cover- within the context of a robust network security program age of security policies in addressing established security that regularly monitors, evaluates, and remediates system requirements. Another concern is the consistency in se- vulnerabilities. curity policies, between themselves and with other orga- 5. Intrusion detection. IDSs are software and/or hardware nizational doctrine. During this review it is important to monitoring solutions that scour incoming network traffic ensure that annual training for security policies and pro- for intrusion attempts and also check internal network cedures is required of all employees. Individual employ- traffic for suspicious activities or patterns of activity that ee attendance of and participation in training sessions might indicate an intruder is on the network. Their prin- should be documented to track the effectiveness of cipal utility is in the incident handling phase of enter- the program. prise security operations. 2. Physical security audit. The purpose of this audit is to 6. Penetration testing. This audit process involves planned ensure that physical access controls and emergency attempts to break into a network to evaluate its re- procedures exist and are appropriate for the facility. It siliency against adversaries. Of all the kinds of audits dis- should also verify that extra controls are in place around cussed here, penetration testing requires the most highly the organization’s server room, IT equipment rooms specialized technical skills. During external (black box) (such as those housing telephone switches, routers, network testing, little or no initial information is pro- backup tape/CD libraries, software installation media li- vided to the auditors to simulate an outside attacker at- braries, and so on), or any areas where IT equipment is tempting to gather information and access to systems. stored or used. Multiple controlled access points create a Techniques such as dumpster diving (searching through layered defense by placing multiple obstacles in the path trash bins for sensitive information), and social engineer- of would-be intruders. Enforcement of a clean desk poli- ing (deceiving a system operator or manager to gain il- cy, in which employees place sensitive materials in lock- licit access) may also be used. Internal (white box) able containers, desks, filing cabinets before leaving their testing endows the penetration team with knowledge work area, adds yet another layer of physical security. about the systems, software, and security measures to 3. Security checklist review. This review adopts a “laundry simulate the actions of an insider. list” approach to best practices for securing business ap- 7. External security audit. The purpose of the external se- plication systems and corporate information systems curity audit is for independent validation that effective (CIS). Published and community-validated checklists security-related procedures and processes are in place. should be used, as well as platform-specific guidance This audit—typically an annual event—usually involves a supplied by business application system vendors. combination of testing, physical examination, and analysis. 4. Network vulnerability scan. This scan is a security audit 8. Event-driven audit. In contrast to the other types of se- that systematically tests for vulnerability to known at- curity audits, which are planned and periodic, event-dri- tacks or security flaws in network software and systems. ven audits are generally initiated in response to attacks, Examples of what is checked include server operating suspicious anomalies, or the discovery of a new vulnera- systems, router configurations, MS Exchange Server, fire- bility. The scope and format of such an audit is dictated walls, Web sites, and database engines. This scan does by the circumstances surrounding the event. Roadmap: Cyber-Security Framework and Standards – 49 5

Tips and Takeaways Identifying the greatest hazards that employ- ees are most likely to encounter is key in devel- • Institute a security metrics program that periodically audits and oping a training plan. According to a recent assesses the state of security in the electric cooperative to motivate study by the SANS Institute, the most common an investment in security. security mistakes by employees are: • Include management in the assessment process, communicating results, and soliciting feedback. • Opening unsolicited e-mail attachments • Use audits and assessments to validate progress and identify gaps • Failing to install security patches in cooperative cyber security. • Installing screen savers and games without IT permission • Failing to save work regularly • Not making backups or not testing EDUCATION, TRAINING, AND AWARENESS to make sure the backups work The biggest wildcard in computer security and safety is the end user. While security procedures Some electric cooperatives include computer and written policies are critical to protecting a training as part of an orientation process for new network, employees who leave their user IDs employees. While this can be effective in help- and passwords on post-it notes next to their ing new employees to understand security risks, computer can compromise the best-laid security it alone does not address the bigger issue of plans. Electric cooperatives have historically making sure that all employees understand the made safety a top priority and provide extensive implications and potential damage that can training to employees on how to work safely on occur as the result of a breach in security. the job. The safety of the computer network can Electric cooperatives should develop separate be just as important. Thus, employee training on IT security training programs designed to edu- the safe use of the company’s computer network cate employees about computer systems, inform should be an integral part of electric cooperative them of measures that must be taken to maintain training plans. system security, and review policies and proce- dures that have been put in place to protect these valuable assets. Several vendors offer these Tips and Takeaways types of security awareness training programs, such as SANS Institute, Meketrex Technologies, • Training and awareness programs are very important; if outsourcing and Foundstone. For IT personnel there are mul- training, be sure to select a vendor that has mapped its training tiple industry and government certifications that program to known standards and compliances. are key education components to maintain a se- • When possible, use a hybrid training solution that combines curity focus. These include industry certifications instructor lead instruction with online continuing education. such as CompTIA Security+, Certified Informa- • It is important to maintain a current record of each employee’s tion Systems Security Professional (CISSP), and training progress for CIP auditing purposes. the Committee on National Security Systems (CNSS) 4011–4016 certifications.

Description of NERC Cyber Security Standards (CIP-002 –009) – 51

Description of NERC Cyber Security Standards A (CIP-002–009)

The NERC Cyber Security Standards (CIP-002–009) The entity must also appoint a member of senior outline the security, personnel, training, reporting, management to a position of overall responsibil - and response standards for the bulk power sys - ity for the implementation of the CIP standards. tem for North America, one of the nation’s most This manager’s current contact information must important critical infrastructures. CIP-002–009 be documented and kept on file with the policy. breaks down the topics of cyber security as ap - This individual has the authority to authorize ex - plied to electrical and nuclear power systems, ceptions to the cyber-security policy, which each of which will be covered sequentially. must be documented with an accompanying ex - planation and reviewed annually for necessity CIP-002 Critical cyber-asset identification. This and validity. In addition to the cyber-security standard requires the entity to create a risk-based policy, the entity must also implement and doc - assessment methodology and narrow down the ument an identification, classification, and pro - critical cyber assets. Essentially, critical cyber as - tection program for information associated with sets have at least one of three key characteristics: critical cyber assets. This standard explicitly out - they must either use a routable protocol for com - lines the minimal information to be protected, munication outside the electronic security perime - which must be classified based on sensitivity. ter, a routable protocol within a control center, The entity must assess its adherence to the pro - or be accessible via dial-up connection. The as - gram on an annual basis. The entity must also sessment must be performed yearly and the enti - manage access controls for critical cyber-asset ty must maintain documentation of the methodol - information, which must be implemented with ogy and its application. A list of the two sets of documentation, including designated authorized critical cyber assets must be maintained, as well personnel. The access control lists must also be as the risk-based assessment methodology. A verified annually, along with verification of ac - member of senior management or a delegate cess privileges, a method for controlling those thereof must approve the lists yearly. privileges. Finally, CIP-003 also requires the enti - ty to document and implement a process for CIP-003 Security management controls. This change control and standard begins with a cyber-security policy. En - for any modification of critical cyber-asset hard - tities are required to document and implement a ware and software. cyber-security policy that addresses the require - ments of CIP-002–009, contains emergency situa - CIP-004 Personnel and training. This standard tion provisions, is available to employees responsi - requires the entity to develop and implement ble for critical cyber assets, and is subject to annu - employee training and awareness programs. The al review and approval by the senior manager. entity must create a security awareness program 52 – Appendix A A

that ensures employees practice sound security authenticity of access. All access to the electronic procedures regarding critical cyber assets, in - security perimeter must be monitored for access cluding reinforcement on a quarterly basis. The authorization. To ensure these processes and se - security training program must be performed, re - curity measures are followed, the entity must viewed, and updated annually. Employees with perform annual cyber-vulnerability assessments. access to critical cyber assets must be trained These assessments must identify and document within 90 calendar days of being granted access. that only necessary port and services required The training must include policies, procedures for operation are enabled, check all access points, and access controls, proper use, information and review various controls. The assessment handling, and incident recovery plans and pro - findings must be documented and used as the cedures for critical cyber assets. Training docu - basis for plans to mitigate the vulnerabilities. mentation for annual training must be kept, in - These documents must be kept current and be cluding the dates on which training was per - updated with any modifications. formed. In addition to the training and awareness programs, the entity must perform personnel risk CIP-006 Physical security. This standard re - assessments. Within 30 days of attaining access quires the entity ensure proper physical security to critical cyber assets, the personnel risk assess - for critical and noncritical cyber assets within an ment must include identity verification and a electronic security perimeter. A physical security seven-year criminal check. These assessments plan must be developed and implemented, and must be updated every seven years or in re - then approved by a member of senior manage - sponse to an incident and the results should be ment. The plan must provide that all assets with - documented. The entity must also maintain lists in electronic security perimeters are also within a of those with access to critical cyber assets, physical security perimeter. Similar procedures to which must be updated within seven calendar monitor and verify access to the electronic perime - days of any changes to the personnel access ter will be required for the physical security rights. If an employee is terminated for cause, perimeter, including the identification, documen - the access rights must be revoked and lists mod - tation, and monitoring of the perimeter. The ified within 24 hours of the termination. plan must be updated within 90 calendar days of any modifications, and should be reviewed an - CIP-005 Electronic security perimeters. This nually. Similar to the electronic security perime - standard states that every critical cyber asset ter, the entity must create adequate physical ac - must exist inside an electronic security perime - cess controls for the physical security perimeter. ter. The entity must document the access points This standard requires one or more of the fol - of the perimeter, including external communica - lowing security measures: card key, special locks tion points terminating inside the perimeter. (magnetic locks, restricted key systems, and so Even communication links connecting discrete on), security personnel, or other authentication perimeters should be considered access points, devices. Physical access to the physical security and should be properly documented. Noncritical perimeter must be monitored by either alarm cyber assets within perimeters and those used to systems or human observation. Either of these access and monitor the perimeters should also methods must provide immediate notification of be protected. The entity must implement and the opening of a door, gate, or window. Along document the processes and mechanisms for with monitoring physical access, the access to electronic access to the perimeters, which must the physical security perimeter must be logged. deny access by default. The entity must maintain Whether by manual, computerized, or video log - documentation regarding the configuration of ging, sufficient information must be collected so ports, and that only the ports and services nec - that individuals may be uniquely identified and essary for operation are enabled. Any external their times of access recorded. Normal access access into the electronic security perimeters logs must be kept at least 90 days, and logs with must carry strong access point controls to ensure reportable incidents must be kept for the period Description of NERC Cyber Security Standards (CIP-002 –009) – 53 A

of time indicated by CIP-008. Finally, the entity These tools and controls must issue alerts for de - must ensure that the physical security systems tected incidents. Logs of all incidents must be are functioning properly with a maintenance and kept for 90 days, and documentation must be testing program, the cycle of which must be no kept to establish that logs were reviewed. The longer than three years. This program must in - seventh part of this standard requires methods clude testing and maintenance logs that are kept and procedures for disposal and redeployment by the entity, which must retain outage records of cyber assets to be formalized and document - for one year for the physical security systems. ed. The data on disposed or redeployed cyber assets must be erased or destroyed to prevent CIP-007 Systems security management. This unauthorized access, and this destruction of data standard requires the entity to develop and must be documented. The eighth requirement is maintain testing procedures for assets located an annual vulnerability assessment of all cyber within an electronic security perimeter. These assets within electronic security perimeters. testing procedures must ensure that changes and These assessments must include a documented modifications to the assets do not adversely af - assessment process, a review to ensure only fect the production environment or the cyber-se - those ports and services required for operation curity controls. Additionally, the entity must doc - are enabled, a review of default account con - ument all test results. The second part of this trols, and documentation of the results. Once the standard requires the entity to create and docu - assessment is complete, the entity must imple - ment procedures that ensure only the ports and ment an action plan to mitigate any vulnerabili - services required for normal and emergency op - ties. The ninth part of the standard requires that erations are enabled. Before production use, all all documents must be reviewed and updated other ports and services must be disabled, in - annually, and changes must be documented cluding those used for testing. The entity must within 90 days of the modification. also document compensation procedures for those ports and services that cannot be disabled. CIP-008 Incident reporting and response plan. The third part of this standard requires the entity This standard outlines incident reporting and re - to assess security patches and upgrades within sponse planning. The entity must create and 30 days of their release. Those patches, which maintain a Cyber Security Incident Response are implemented, must be documented, and a plan. This plan should characterize events and compensating measure must be documented for contain response actions, the roles of response those patches that are not installed. The fourth teams, reporting procedures, updating proce - part of this standard requires that the entity must dures, response plan review procedures, and re - implement documented use of antivirus and ma - sponse plan testing processes for yearly testing. licious software prevention tools. The fifth part Documentation for reportable incidents must be requires that the entity must create, implement, retained for three years. and document controls for access authentication. Accounts must be approved by designated per - CIP-009 Recovery plan. This standard goes over sonnel, and must carry established methods and the creation and implementation of a recovery procedures to generate logs for audit trails. The plan. These recovery plans should contain roles entity must also create policies to manage accept - of responders and the required actions for event able use for all accounts and their privileges. response, and the entity must review recovery Passwords for all accounts must contain both al - plans annually. The plan should also be exer - phanumeric and special characters, be com - cised and updated annually to reflect any up - prised of at least six characters, and be changed dates or changes necessary. The plan must also annually or based on risk. The sixth requirement contain backup and restoration processes for in - is that of security status monitoring. Here, the formation used to restore critical cyber assets. entity must implement automated tools and con - Backup media should be tested annually to en - trols to monitor cyber-security system events. sure viability.

Glossary of Terms – 55

B Glossary of Terms

Active Directory Kerberos. A network authenti - File Transfer Protocol (FTP). A computer net - cation protocol designed to provide strong au - work protocol used to transfer data from one thentication for client/server applications by computer to another through a network. using secret-key cryptography. (Wikipedia) (http://web.mit.edu/Kerberos ) Firewall. Software or hardware that protects a Adware. Automatically downloads and displays network by monitoring and constraining the traf - advertisements on a computer after the software fic that flows into it. It defines exactly what, and is installed. (Wikipedia) who, can get in or out of a network. (Wikipedia)

Demilitarized Zone (DMZ). A network segment Identity Theft. The loss or compromise and that sits between the organization’s internal net - subsequent misuse of personal information. work and the external network. (Wikipedia) (Wikipedia)

Denial of Service (DoS). Attacks that flood a Information Systems Security Engineering system with legitimate traffic, or with maliciously Process (ISSEP). The art and science of discov - crafted payloads intended to disrupt a data ser - ering users’ information protection needs and vice. (Wikipedia) then designing and making information systems to safely resist the forces to which they may be Energy Management System and Supervisory subjected. Control and Data Acquisition (EMS SCADA) (www.nsa.gov/ia/government/isse.cfm? System. A system of computer-aided tools used MenuID=10.3.2 ) by operators of electric utility grids to monitor, control, and optimize the performance of the Intrusion Detection System (IDS). Systems that generation and/or transmission (G&T) systems. inspect network traffic using intelligent pattern The monitor and control functions are known as recognition and algorithms to identify malicious SCADA. EMS excludes the monitoring and con - activity. (Wikipedia) trol functions but more specifically refers to the collective suite of power network applications Intrusion Prevention System (IPS). Systems and to the generation, control, and scheduling that extend the functionality of an IDS with real- applications. (Wikipedia) time response to detected intrusions. (Wikipedia) 56 – Appendix B B

Kernel. The kernel is the central component of MAC Address Filtering. MAC Address Filtering most computer operating systems. Its responsi - refers to a security access control methodology bilities include managing the system’s resources whereby the 48-bit address assigned to each (communication between hardware and soft - network card is used to determine access to the ware components). As a basic component of an network. Therefore, only MAC addresses with operating system, a kernel provides the lowest- specific authorization are allowed access to the level abstraction layer for the resources (espe - network. (Wikipedia) cially memory, processors, and input/output devices) that application software (for example, Microsoft Structured Query Language Server word processors) must control to perform its (MSSQL). A relational database management function. (Wikipedia) system produced by Microsoft. Its primary query language is Transact-SQL, an implementation Kernel modules. Kernel modules are pieces of of the American National Standards Institute/ code that can be loaded and unloaded into the International Organization for Standardization kernel upon demand. They extend the function - (ANSI/ISO) standard Structured Query Language ality of the kernel without the need to reboot (SQL) used by both Microsoft and Sybase. the system. For example, one type of module (Wikipedia) is the device driver, which allows the kernel to access hardware connected to the system (for Phishing. A social engineering technique example, sound card). (Wikipedia) whereby an individual attempts to acquire sensi - tive information such as passwords, credit card Lightweight Directory Access Protocol (LDAP). numbers, and social security numbers (SSNs) A set of protocols for accessing information di - through an electronic medium such as e-mail rectories. It is used to look up e-mail addresses, or Web sites. (Wikipedia) encryption certificates, pointers to printers, and other services on a network, and can provide RADIUS. A server for remote user authentication single sign-on (SSO) where one password for and accounting. It may also be used on any a user is shared between many services. network that needs a centralized authentication (Wikipedia) and/or accounting service for its workstations. (Wikipedia) Linux. A fee Unix-type operating system origi - nally created by Linus Torvalds with the assis - Rootkits. Software tool collections intended to tance of developers around the world. Devel - conceal processes, files, or system data from the oped under the GNU General Public Licenses, operating system. They are commonly used to the source code is freely available to everyone. help intruders acquire access to systems while (Wikipedia) avoiding detection. (Wikipedia)

Maleware. Software designed to infiltrate and Single Sign-On (SSO). A mechanism whereby a damage a computer system without the owner’s single action of user authentication and autho - knowledge. (Wikipedia) rization can permit a user access to all comput - ers and systems where he has access permission, Media Access Control (MAC). MAC is a unique without the need to enter multiple passwords. serial number assigned to each network adapter, (Wikipedia) making it possible to deliver data packets to a destination. (Wikipedia) Solaris. A free Unix-based operating system in - troduced by Sun Microsystems in 1992 as the successor to SunOS. Solaris supports SPARC- based and x86-based workstations and servers from Sun and other vendors. (Wikipedia) Glossary of Terms – 57 B

Spam. Unsolicited commercial e-mail messages. Trojan horse. Renegade code hidden in other - (Wikipedia) wise legitimate software which appears to per - form a certain action but in fact performs another, Spyware. Software installed without the user’s such as transmitting a computer virus. (Wikipedia) knowledge designed to intercept information or take control of the user’s computer. Spyware can Virtual Private Network (VPN). A computer net - be used to monitor user behavior and to collect work that uses a public telecommunication infra - personal information. It can also interfere with structure (that is, the Internet) to provide remote the use of a computer by installing additional offices or individual users with secure access to software, redirecting Web browser activity, log - their organization’s network. A VPN works by ging keystrokes, or diverting advertising revenue using the shared public infrastructure while to a third party. (Wikipedia) maintaining privacy through security procedures and encryption/decryption protocols. (Wikipedia) Squid. A caching proxy for the Web. It reduces bandwidth and improves response times by Virus. Computer programs that propagate across caching (storing) and reusing frequently re - systems and exhibit malicious or benign behav - quested Web pages. Squid also offers access ior. (Wikipedia) control, authorization, and logging environment for improved security. (Wikipedia) Vulnerability Risk Assessment (VRA). Deter - mining the weaknesses in security, both physical Structured Query Language (SQL). A database and cyber, of a business or facility. These assess - computer language designed for the retrieval ments are usually performed by an outside entity and management of data in relational database that specializes in physical or cyber security (or management systems, database schema creation both). (Wikipedia) and modification, and database object access control management. (Wikipedia) Warez. Illegal copies of software, movies, and music. (CRN Handbook) Subnet. An abbreviation for subnetwork, it is a range of logical address within the address space of a computer network that is assigned to an organization. The addresses of all nodes within a subnet start with the same binary se - quence (for example,129.xxx.xxx.x). This consti - tutes the network identification. (Wikipedia)

References – 59

C References

[1] Information Assurance Technical Framework Fort Meade, MD, September 2002; Release 3.1. Information Assurance Solutions www.iatf.net/framework_docs/ Technical Directors, National Security Agency, version-3_1/index.cfm .

Abbreviations and Acronyms – 61

D Abbreviations and Acronyms

ANSI American National Standards Institute FTP File Transfer Protocol AoL America On-Line G&T Generation and Transmission ARP Address Resolution Protocol GPS Global Positioning System ATM Automated Teller Machine GUI Graphical User Interface BoA Bank of America HIDSs Host-Based Intrusion Systems CDs Compact Discs IATF Information Assurance Technical CFR Code of Federal Regulations Framework CIP Critical Infrastructure Protection ICMP Internet Control Message Protocol CIPAG Critical Infrastructure Protection IDN Internationalized Domain Names Advisory Group IDSs Intrusion Detection Systems CIS Corporate Information Systems IE7 Internet Explorer 7 CISSP Certified Information Systems Security IEEE Institute of Electrical and Electronics Professional Engineers CNSS Committee on National Security IM Instant Messaging Systems IMAP Internet Message Access Protocol CRN Cooperative Research Network IMEI International Mobile Equipment CRS Congressional Research Service Identity DECT Digital Enhanced Cordless Telecom - IP Internet Protocol munications IPSs Intrusion Prevention Systems DFP Digital Forensics Professionals IrDA Infrared Data Association DHCP Dynamic Host Configuration Protocol IRS Internal Revenue Service DHS Department of Homeland Security ISM Industrial, Scientific, and Medical DMZ Demilitarized Zone ISO Independent System Operator DNS Domain Name Service ISO International Organization for DOE Department of Energy Standardization DoS Denial of Service ISP Internet Service Provider DVDs Digital Video Discs ISSE Information Systems Security EMS Energy Management System Engineering EPACT Energy Policy Act of 2005 ISSEP Information System Security ERCOT Electric Reliability Council Of Texas Engineering Process ERO Electric Reliability Organization IT Information Technology ERP Emergency Response Plan kV Kilovolt (1,000 Volts) FAQ Frequently Asked Questions LAN Local Area Network FTC Federal Trade Commission LDAP Lightweight Directory Access Protocol 62 – Appendix D D

MAC Media Access Control RF Radio Frequencies MS-ISAC Multi-State Information Sharing and RPC Remote Procedure Call Analysis Center RTUs Remote Terminal Units MSSQL Microsoft Structured Query Language RUS Rural Utility Service MW Megawatt SANS System Administration, Network, NAT Network Address Translation and Security NERC North American Electric Reliability SCADA Supervisory Control and Data Corporation Acquisition NFS Network File System SMTP Simple Mail Transfer Protocol NIDSs Network-Based Intrusion Detection SQL Structured Query Language Systems SSL Secure Sockets Layer NIST National Institute of Standards and SSN Social Security Number Technology SSO Single Sign-On NRECA National Rural Electric Cooperative TCP Transmission Control Protocol Association TRE Texas Regional Entity NSA National Security Agency UDP User Datagram Protocol NTP Network Time Protocol UPS Uninterruptable Power Supply PCs Personal Computers USB Universal Serial Bus PDA Personal Digital Assistant VPN Virtual Private Network PGP Pretty Good Privacy VRA Vulnerability and Risk Assessment PIN Personal Identification Number WEP Wired Equivalent Privacy PKI Public Key Infrastructure WPA Wi-Fi Protected Access POP3 Post Office Protocol—Version 3 www.crn.coop

CRN MEMBERS ONLY