February 26, 2016
DNG-ISAC
Downstream Natural Gas Information Sharing and Analysis Center
What is an ISAC? • ISAC – Information Sharing and Analysis Center • ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis • ISACs were introduced by Presidential Decision Directive-63 (PDD-63), signed May 22, 1998 • PDD-63 recognized the potential for the infrastructures of the United States to be attacked • In PDD-63, the federal government asked each critical infrastructure sector to establish sector specific ISACs
2
“Information sharing is a fundamental pillar of a robust cyber and physical defense effort. The DNG ISAC is tailored to
In 2014, AGA launched the Downstream Natural Gas Information Sharing and Analysis Center.
address the distinct operational needs of the downstream natural gas sector and provides the technological sophistication and coordination necessary to meet the ever-changing threats of the 21st century.”
The DNG ISAC is an online platform that will help natural gas utilities share and access timely, accurate and relevant threat information and further enhance the security of natural gas utilities.
Dave McCurdy AGA President and CEO
3
Background • In 2014 the American Gas Association (AGA) Board of Directors Executive Committee identified a gap in information sharing in the downstream natural gas sector • At the time an informal communication method was being used for cybersecurity information sharing • Given increased congressional and administration attention being provided on information sharing and ISACs, it was recommended that the Downstream Natural Gas – Information Sharing and Analysis Center (DNG-ISAC) be formed to fill the gap identified • A group of AGA members came forward to both develop and found the DNG-ISAC and also committed to annual participation in the DNG-ISAC
4
Mission • The Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC) serves downstream natural gas companies (distribution companies/utilities) by facilitating communications between participants, the federal government, and other critical infrastructures • The DNG-ISAC promptly disseminates threat information and indicators and provides analysis, coordination and summarization of related industry-affecting information • Operates as nonprofit entity • Speeds security alerts to multiple recipients • Provides secure information sharing
5
E-ISAC Coordination • From its inception, the DNG-ISAC was designed to collaborate directly with the E-ISAC • Both ISACs have undergone significant technology enhancements and are currently positioned for integration for direct information sharing • The DNG-ISAC serves predominantly natural gas companies and the E-ISAC serves electric and combination companies alleviating the need for companies to monitor multiple ISACs • The integration will provide the information flow for situational awareness across the energy sector
6
Multi-Directional Information Sharing • The DNG-ISAC has a dedicated cyber intelligence analyst • DNG-ISAC sources include: • Industrial Control System-Computer Emergency Response Team (ICS-CERT) • Homeland Security Information Network (HSIN) • Federal Bureau of Investigation (FBI) • Downstream Natural Gas Companies • The DNG ISAC is a member of the National Council of ISACs (NCI) and participates in regular NCI meetings and a daily interindustry threat briefing call
7
Cross-Sector Cyber Threat Response Electrical and Financial Sector ISAC Collaboration • Daily surges of “Whale Phishing” noted by several ISACs • Sectors compare IPs, Tactics, Techniques, Procedures • DNG Analyst determines commonality in email styles, FS and ES in addressing and sources • Joint release to TCPs of summaries, data, best practices, and recommended staff training to avoid the phish hook
8
DNG-ISAC Responds to Physical Threat Milford, PA Gas Compressor Station Arson • Aug 8, 2015 – fire reported at compressor station under construction • Local anti-pipeline coalition releases press statement that fire was due to worker negligence • Aug 11, State Police determine arson as cause, damage $90,000 • Aug 14, Pipeline company contacts DNG Analyst • Aug 17 DNG produces analysis, recommendations and informs sector members for heightened awareness
9
Cybersecurity Threat Neutralized Adobe Flash Exploits Countered • Hack of surveillance software company yields multiple zero-day attacks against Adobe Flash • DNG-ISAC proactively publishes recommendations • Eliminate Flash unless vital • Change Flash settings to Click-to-play • DNG releases to TCP • Provides follow up training for member queries • Industry follows within 48 hours
10
Typo-Squatting • DNG ISAC and ES ISAC collaborate to share cybersquatting info • Domains registered with slight spelling variations • For example BANKW1THME.COM vs BANKWITHME.COM • Used for Phishing and fraud • Easy to do • Immediate member feedback • Reported bad IP had sent email that day • Tracked to recipient • Recipient well-trained, did not open • IPs blocked • Hundreds of members warned so far
11
Prykarpattya Oblenergo Ukraine
TLP AMBER
• DECEMBER 2015 – Ukrainian Power Grid Attacked • Hundreds of thousands of customers lost power • Power companies unable to determine extent of outage • TDOS campaign against call center blocked legitimate customer calls • Power mostly restored in three hours • Electronic system management disabled and destroyed • Required physical travel to substations to reset breakers and restore power • Manual operations enabled this
12
Prykarpattya Oblenergo Ukraine
TLP AMBER
• Spearphishing email sent to power company employees • BlackEnergy malware spread by infected Excel spreadsheets • DNG ISAC reported BlackEnergy using infected Excel spreadsheets February 2015 • Computer screens frozen – showed operator normal status • Combined with TDOS against phones made it impossible to know power was out • BlackEnergy used to block repairs/obscure attacks • KillDisk partially successful in blocking recovery attempts • Disabled automatic systems that would have reset breakers
13
Prykarpattya Oblenergo Ukraine
TLP AMBER
• BlackEnergy malware • BlackEnergy 2 found on systems in March 2015 • Searches for specific network components • Reported as removed • BlackEnergy 3 found during December attacks • More capable of penetrating networks • Used for reconnaissance • Dropped BE2 • Contains KillDisk
14
Prykarpattya Oblenergo Ukraine
BE3
STATUS FREEZE TDOS BREAKERS
TLP AMBER
PASSWORDS HARVESTED
BE2
BREAK THINGS WITH KILLDISK
=
15