Staff of the Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have published a report detailing utility best practices for response and recovery from cyber attacks.
The report, Cyber Planning for Response and Recovery Study (CYPRES), was developed based on interviews with subject matter experts from eight electric utilities of varying size and function. The report includes the joint staffs’ observations on the utilities’ defensive capabilities and the effectiveness of their incident response and recovery (IRR) plans.
The report identifies common elements among the incident response and recovery plans, including the definition and scope of a cyber incident, the roles and responsibilities of staff, reporting requirements and guidelines for external communication, as well as procedures to evaluate performance in the wake of an attack.
While acknowledging that there is no single best incident response and recovery plan model, the FERC/NERC team identified best practices that utilities should consider when developing their IRR plans.
Specifically, an effective incident response and recovery plan should:
- Have well defined roles for personnel that promote accountability and enable them to act without unnecessary delays;
- Ensure that IRR personnel have access to supporting technology and automated tools;
- Require personnel to constantly update their skills and incorporate lessons learned from past incidents or tests;
- Use baselining, that is, the monitoring of resources to determine typical patterns so significant deviations can be detected, so personnel can quickly determine when a predefined risk threshold is reached;
- Have the ability to remove all external connections when a cyber event occurs and consider the possibility that a containment strategy may trigger predefined destructive actions by the malware and, therefore, employ evidence collection and continued analysis to determine whether an event indicates a larger compromise of the system;
- Consider the implications of incident responses of indeterminate length; and
- Implement lessons learned from previous incidents and simulated activities.
Among other observations, the report found that well defined roles and responsibilities became clearer to participants after participating in exercises, such as NERC’s Grid Security Exercise (GridEx), to test their response and recovery plans. Many participants in the report said they modified their incident response and recovery plans after completing the GridEx process.
GridEx, which takes place every two years, allows utilities, government partners and other critical infrastructure participants to engage with local and regional first responders, exercise cross-sector impacts, improve unity of effort messages and communication, identify lessons learned and engage senior leadership.
The most recent GridEx occurred in 2019. In 2017, 53 public power entities participated in GridEx, while in 2019, 100 public power entities participated.
Meanwhile, some participants in the report also noted that virtualization is a useful tool. Virtualization uses software to operate as if it were an actual physical device. Virtualizing hardware allows one physical device to house many virtual devices, reducing hardware and real estate costs.
And, because a virtualized device can be easily saved and restored, it can save hours of work when a software glitch occurs. In the same way, if a cyber attack were to require the reinstallation of a new machine, virtualization would make the restoration process less costly and time consuming.
The report concludes that an “effective IRR plans can mitigate the natural advantages that cyber attackers possess.” Because cyber attackers operate covertly, “effective IRR plans should be in place and response teams should be prepared to detect, contain, and, when appropriate, eradicate the cyber threat before it can impact the utility’s operations.”