Earlier this month, the Federal Energy Regulatory Commission (FERC) published a joint report entitled “Cyber Planning Response and Recovery Study” (CYPRES) in partnership with the North American Electric Reliability Corporation (NERC) and eight of its Regional Entities (REs) in order to review the methods for responding to a cybersecurity event. The report is heavily focused on incident response and recovery (IRR) plans that describe how an electric utility should use their own plan to respond to a cyber-incident to ensure the reliability of their Bulk Electric Systems (BESes). I found some of the key take-aways rather interesting, which I will summarize. You can find the report in its entirety here.

Where NIST SP 800-61 Fits In

While it is likely that most organizations leverage CIP-008-5: “Incident Report and Response Planning” to form their IRR plan, the joint team quickly observed that the entities followed a framework identified in the National Institute of Standards and Technology (NIST) Special Publication 800-61 Revision 2. Because of this, the joint team observed that plans that “contain well-defined personnel roles, promote accountability and empower personnel to take action without unnecessary delays” and that “leverage technology and automated tools while also recognizing the importance of human performance” are most effective. Time and time again, we find the human element to be equally if not more important than the technology tools in place.

With regard to containment and eradication, I found this observation particularly interesting: “IRR plans should consider the possibility that a containment strategy may trigger predefined destructive actions by the malware.”

Arguably, this may be one of the most difficult to plan for. Malware behavior and analysis is not a novel subject. Even so, planning how an asset owner might need to alter their mitigation approach so as not (Read more...)