808 SABOTAGE REPORTING EVENT 1. Purpose

Operating Policies and Procedures
Emergency System Operations
OPP 808
Issued for consultationssued: 2009-09-02xx-xx
Supersedes : 2008-11-13
808 SABOTAGE EVENT REPORTING
1.
Purpose
To define set out describethe policies and define responsibilities and procedures for identifying and to
identify and reporting confirmed or suspected sabotage events, including acts of cyber sabotage and
cyber sabotage incidentsevents, confirmed or suspected that could affect the safe and reliable operation
of the Alberta Interconnected Electric System (AIES).
2.
Background
“Sabotage event”, as used in this OPP, is as defined in the Alberta Reliability Standard’s Glossaryand
cyber sabotage are interpreted as incidents that prevent the ISO from carrying out its responsibilities,
by affecting the reliable operation of the AIES. Examples would include but are not limited to,
occurrancesoccurrences or resulting circumstances suspected or determined to have been caused by
the deliberate destruction, or damage or degradation of equipment, facilities, computer systems,
communication systems and telecommunication systems used by the ISO, Transmission Facility Owner
(TFO) and Generation Facility Owner (GFO) and Wire Owner (WO).
The process and communication protocol outlined in this OPP will addresses the assessment and
reporting aspects of all confirmed or suspected acts of sabotage or cyber sabotage foronaffecting the
AIES. Thesethey are reportsed to the system controller (SC) may originate from entities internal to
Alberta by . including but not limited to, The entities include ISO staff, TFO, GFO, and WO except
those that only operate facilities below 25kV. External reports may originate from adjacent balancing
authorities or the Western Electric Coordinating Council’s (WECC) Vancouver reliability coordinator
(VRC).
or ISO internal staff.
3.
Policy
•
Sabotage events that arepose, or may pose, a direct threat to the AIESgrid must be reported to
the SC in accordance with this operating policy OPP.
•The ISO will develop procedures to identify, report, and respond to sabotage and cyber sabotage
(confirmed or suspected) including the contact phone numbers for local police and the
RCMP.Applying the methodology of risk-based assessment, the ISO will create a list of critical
assets and will review this list at least annually. The critical assets list will be approved by an ISO
executive or designate.
•When a TFO or GFO suspects or has confirmed that a sabotage incident has occurred following their
procedures or protocols, they will report the occurrence to the SC.
•
The SC, Operations-On-Call (OOC) and the SC, Incident Commander (IC) mustwill follow the
process outlined in Figure 2 and detailed in Section 4 of this OPP to communicate and file
reports on sabotage incidentsevents.
DRAFT 2 Issued for Stakeholder Consultation: 2009-09-10
Page 1 of 7
Emergency System Operations
OPP 808 Sabotage Event Reporting
4.
Responsibilities
4.1
ISO
The ISO mustwill::
•Review and update this OPP contact information in this OPP as required or annually it .
•Maintain a signed and dated record after the annual review of the Critical Assets and Critical
Cyber Assets lists. This record must be approved by an ISO executive or delegate.
•
Provide the SC with the capability to receive information on sabotage events on the
interconnection.
•
Identify, report, and respond to multi-site sabotage events.
•
As necessaryfter a sabotage event has been reported to it, including coordinate the
security information exchange withontact the local police force and the RCMP and the
Alberta Security and Strategic Intelligence Support Team (ASSIST) (see Table 1).
Operations On Call (OOC) must, after it has been notified by the ISO of a sabotage event will:
•
Notify the IC immediately..
•
Take direction from, and assist the IC., and assist the IC with the performance of the IC’s
duties.
Incident Commander (IC must, after it has beening notified by the OOC of a sabotage event)
will:
•
Follow internal protocols established to deal with threats and sabotage events.
•
Consult and coordinate with ISO senior management, ISO sSecurity and staff, and ISO
Ccommunications staff. to in the prepare of all reports and information releases.
•
Use where appropriate, the reference information posted on the NERC web site at
http://www.esisac.com pertaining to Threat and Incident Reporting,, . Referring to the
criteria on for reporting various acts of sabotage on NERC’s website,to and develop the
report for the Vancouver Reliability Coordinator (VRC)VRC/NERC.
•
Draft all reports including the preliminary report to be filed with the VRC.
•
Identify which market participants recipients who will receive the reports and updates
from the ISO??.
System Controller
The SC must after a sabotage event has been reported reportedto it will:
•
Gather details of the sabotage event.when being notified of the incident
•
Notify the OOC immediatelyEscalate immediately within the AESO. Refer to procedure
found in section 5. (Is this not the same as in s. 5(2.) below??
•
Submit the preliminary report developed by the IC to the VRCVRC.
•
Based on the direction of the IC, Communicate information reports and updates to
recipients, received from supplied and identified providedby the IC to the market
participants identified by the IC.to recipients identified to it by the IC.
DRAFT 2 Issued for Stakeholder Consultation: 2009-09-10
Page 2 of 7
Emergency System Operations
OPP 808 Sabotage Event Reporting
4.2
Transmission Facility Owners and , Generation Facility Owners and Wire
Owner s(TFOs and GFOs)
EachThe TFO, or GFO or WO, (except those that only operate facilities below 25kV, ) must
will:
5.
•
Have the ability to receive information about sabotage events on the interconnection.
•
Follow in houseternal procedures for reporting sabotage events to the local police force.
•
Report sabotage events to the SC for situations that may have a significant impact on to
the AIES to the SC. Examples mightmay include but are not limited to situations of
heightened operational awareness or situations that may which result in may a
reconfiguration iresult in the AIES in order to to be reconfigured to maintain system
reliability. Single events of vandalism or minor tampering of less critical components
mustshould be reported to the SCC management on the next business day if the incident
is escalated Report the incident to the SC when they suspect or have confirmed it is
sabotage and escalate the incident within the market participant’sir organization.
System Controller Procedures
When informed of a sabotage incidentevent is reported to itthe SC, , the SC mustwill:
1.
Gather details of the sabotage event and complete as much information in the Sabotage
CyberSystem Sabotage Event Reporting Form or Cyber Sabotage Event Reporting Fform
(Figure 1) as possible.
2.
Notify the OOC immediately.
3.
Take direction from the IC on the information to report to the IC’s identified recipients. There
will beare security issues that must be considered before the SC can file any reports. See Figure 2.
4.
File the preliminary report creatdeveloped by the IC with the VRCVRC. Refer to 4.1 IC
responsibilities.
5.
Log the sabotage event in the Shift Log (see OPP 1301), posting for internal use only.
6.
Disseminate reports and updatesinformation provided by the IC to the market
participantsrecipients that the IC has identified.
This dissemination could be on ADaMS if
the IC directs thatwants all market participants are to be notified or via Global Talk if the IC
directs such information is is only to be shared with eachthe TFO and GFO only.
DRAFT 2 Issued for Stakeholder Consultation: 2009-09-10
Page 3 of 7
Emergency System Operations
OPP 808 Sabotage Event Reporting
6
Figures and Tables
Figure 1
System Sabotage Event Reporting Form
Internal Contact Information
External Contact Information
Recorded by
Name/Title
Date
Organization
Time
Email
7 x 24 Contact Info
What assistance
is required?
Subject
System sabotage (continue on this page)
Cyber sabotage (2nd page)
Date and Time Incident Event
Occurred
Date and Time Incident Event
Resolved
Type of Incident (Where did the incident occur? What was affected?)
Generating station
Generating substation
Transmission substation
Distribution system
Control Centre
Energy Mgmt System
Information Systems
Other
Incident Summary
Damage (What were the consequences of the incidentevent?)
Numbers of systems affected
Nature of loss, if any
System downtime
Estimated incident cost
Additional Comments
Copies Sent To
DRAFT 2 Issued for Stakeholder Consultation: 2009-09-10
Page 4 of 7
Emergency System Operations
OPP 808 Sabotage Event Reporting
Cyber Sabotage Event Reporting Form (continued)
Attack Vector
External
Infected web site
Software download
E-mail attachment
Removable media
(diskette, CD USB drive, etc.)
Other
Primary systems or infrastructure involved
Software affected
(e.g., ABB Ranger, AREVA e-terra)
Operating system and version
(Windows, UNIX, Linux)
Security software
(AntiVirus, IDS/IPS, etc.)
Firewall information
(Type/Version)
Network Equipment
(Make, model and version)
Other
Type of malicious code (include name if known):
Virus
Trojan horse
Worm
Joke program
Other
Operation method (for new malicious code)
Details
Type: Macro, boot memory resident, polymorphic,
self encrypting, stealth
Payload
Software infected
Files erased, modified, deleted, encrypted
Self propagating via e-mail
Detectable changes
Other features
Remediation (How was the incident event resolved?)
Details
Anti-virus product installed or updated
Firewall and/or server-based filtering updated
Software deleted, updated and/or restored
Network traffic rerouted or filtered
Update to security policies
DRAFT 2 Issued for Stakeholder Consultation: 2009-09-10
Page 5 of 7
Emergency System Operations
OPP 808 Sabotage Event Reporting
Figure 2
Sabotage event notification process flow chart
AESO staff
Event
considered
to be
Sabotage
or
Suspected
to be
Sabotage
Reported
by:
Operations on Call
(OOC)
TFO, GFO, WO
System
Controller
Adjacent BA
Director Operations
Integration or designate
IncidentCommander
ISO Executive
Corporate
Security
Communications
VRC
NERC
USA Homeland
Security
Canadian
Government
Agencies
Red solid straight arrows indicate the flow of information from the source to the
Incident Commander
Dash curved lines indicate the flow of information from the Incident Commander to
the VRC/NERC, adjacent balancing authorities, and to recipients
within the AIES, via the SC.
DRAFT 2 Issued for Stakeholder Consultation: 2009-09-10
Page 6 of 7
Emergency System Operations
OPP 808 Sabotage Event Reporting
Table 1
Law enforcement RCMP and Police and Assist contact information
Agency
Contact
Calgary Police Service
911
Alberta Security and Strategic
Intelligence Support Team
(ASSIST)RCMP
Denis Huot Manager 780-427-4973, cell 780-966-4248
[email protected]
Gord Beagle Field Officer 403-592-4062, cell 403-801-7510
[email protected]
Sarah Weis Administrative Support 780-427-5089
[email protected] National Security Investigation Section
Sgt. Terrance Zeniuk or David Bibeau (24/7) 403 292-8705
RCMP Calgary Police Service
National Security Investigation Section
Sgt. Terrance Zeniuk or David Bibeau (24/7) 403 292-8705911
7.
Revision History
Issued
Description
2009-xx-xx
Supersedes 2008-11-13
2008-11-13
Supersedes 2008-05-30; only confidential information changed
2008-05-30
New issue, approved for interim implementation
DRAFT 2 Issued for Stakeholder Consultation: 2009-09-10
Page 7 of 7