At the 2011 NARUC Winter Committee Meetings, Patrick Miller teamed up with seasoned security experts Miles Keogh from NARUC and Bill Hunteman from the Department of Energy to deliver an engaging Cybersecurity Boot Camp.
Strategies for Landing an Oracle DBA Job as a Fresher
Don't Get Hacked! Cybersecurity Boot Camp
1. NARUC
Don’t Get Hacked!
Cybersecurity Boot Camp
Patrick C Miller, EnergySec / NESCO
Bill Hunteman, US DOE
Miles Keogh, NARUC
February 13 2011
NARUC Winter Committee Meetings
Marriott Renaissance, Washington DC
2. Our Drill Instructors!
l Miles Keogh
§ Director of Grants and Research, NARUC
NARUC
l Patrick C Miller
§ Founder, President and CEO, EnergySec
§ Principal Investigator, National Electric Sector Cybersecurity
Organization (NESCO)
§ Former Director, NERC CIP Practice, ICF International
§ Former Manager, WECC CIP Audits & Investigations
§ Corporate Security staff for several Pacific Northwest utilities
§ Deep roots in Telecom sector, IT and Industrial Control Systems
§ CRISC, CISA, CISSP-ISSAP, SSCP, CEH, CVI, NSA-IAM
3. Our Drill Instructors!
l Bill Hunteman
§ Chief Advisor for Cybersecurity, US Department of Energy
NARUC
§ DOE Chief Information Security Officer (CISO) and Associate CIO
for Cyber Security
§ Cybersecurity Program Manager for the DOE National Nuclear
Security Administration
§ Worked in the Los Alamos and Sandia National Laboratories
§ Managed cybersecurity research and development activities
§ Participated in the development of national and international cyber
security criteria
§ Joint projects with Russia to improve cyber security in the Russian
nuclear weapons complex
§ Design and development of high performance computer networks
and operating systems for many of the supercomputers used by
DOE (and its predecessors)
§ Bachelor or Science in Mathematics and Master of Science
Electrical Engineering/Computer Science
4. What We’re Covering Today
l What’s the “Cyber” in “Cyber
security?”
NARUC
l What are we trying to protect?
l What threats do we face?
l What are the challenges of instituting
cyber security?
l Where do the vulnerabilities within
the system exist?
l What can Commissions do about it?
l What are the policy structures you have
to work with?
5. What Have You Seen?
l How well do you understand the
confluence of networked and traditional
NARUC
devices?
l Has cybersecurity come before your
commission?
l What has that looked like?
l What questions do you have about
cybersecurity?
l Is cybersecurity a concern at your
commission?
9. Night Dragon
• Recently published by McAfee
• Activity designed to obtain sensitive data from
targeted organizations in global oil and energy
industries…
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
8
10. Night Dragon
• Source appears to be China, but this is difficult to
confirm exactly
• Began Nov 2009, possibly as early as 2007
• Techniques:
– Social engineering
– Spear-phishing attacks
– Exploitation of Microsoft Windows vulnerabilities
– Microsoft Active Directory compromises
– Remote administration tools (RATs)
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
9
11. Night Dragon
• Harvesting sensitive competitive proprietary
operations, and project-financing information for oil
and gas field bids and operations
• Controlled systems, then cracked accounts to move
to more sensitive information/systems
• Focus was on operational oil and gas field
production systems and financial documents related
to field exploration and bidding
• In certain cases, the attackers collected data from
SCADA systems
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
10
12. Stuxnet
• First publicly disclosed control systems rootkit, but
certainly wont be the last...
• USB vector; focused on air-gapped networks
• Highly sophisticated; infects everything, then
rewrites PLC logic and hides
• Undermines integrity of control system
• Most regulations wouldn’t have stopped it
• No 100% security against determined
adversary
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
11
13. SHODAN, ERIPP, ETC
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
12
14. SHODAN, ERIPP, ETC
Berkeley
Cyclotron
HMI
images
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
13
15. There’s An App For That
• “Get mobile access to your control
system via an iPhone, iPad,
Android and other smartphones
and tablet devices. The Ignition
Mobile Module gives you instant
access to any HMI / SCADA
project created with the Ignition
Vision Module.”
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
14
16. Public Domain
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
15
17. Only The Disclosed
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
16
19. Research and Disclosure
• October 24, 2010, 12:39PM, Threat Post
– SCADA Vendors Still Need Security Wake Up Call
• http://threatpost.com/en_us/blogs/scada-vendors-still-need-security-wake-call-102410
– Please don t waste my time
• October 28, 2010: ICSJWG Seattle Meeting
– Invensys, IOActive, ICS-CERT presented on case study on
Wonderware vulnerability
• Disclosure positions are hotly debated
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
18
20. From Obscurity To Novelty
• Smart Meter hacking
• Hacking cookbooks
• Metasploit
• Fuzzers
• Supply chain attacks
• Manuals available in all languages on Internet
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
19
21. Shiny Object
• Shiny object for the mass media
• 60 minutes
• Wall Street Journal, National Journal, CNN
• Too many IT trade publications to name
• Blockbuster films
• Prime time television shows
• Social Media (blogosphere, Twitter)
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
20
22. Economic Drivers
• Recession economy brings unique challenges
• Decreased participation working groups and
conferences
• Static or shrinking headcount; increased workload
• Insider threat increases
• Decreased spending on new equipment
• Older products extended beyond intended lifespan
• Security is expensive for customers and vendors
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
21
23. People Problem
• Humans are the weakest link in any security system
– Passwords for candy; Social engineering
• Humans are also the strongest link in any security
system
– The Aware Person System (APS)
– ICS culture shift is very slow, but can be very powerful
• Danger: unskilled/untrained operators of power
tools can cause significant damage
– Increasing complexity = training treadmill
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
22
24. People Solution
• So you’ve bought all of the fancy
cybersecurity gizmos…
– What about the skilled staff to use
them?
• So you’ve put cameras in all
critical sites…
– What about the staff to monitor and
respond?
• An appropriate balance of skilled
people and current technology
must be used
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
23
25. Back In The Good Old Days
• Pneumatic, electromechanical, analog
• Telephone meant POTS or “bat phone”
• No Internet
• Less automation
• Less complexity
• Proprietary
• Long life span
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
24
26. ICS Gen-X
• Automation, more complexity
• Internet Protocol (TCP/UDP/etc)
• Data, more data and even more data
• Processing power, memory, bandwidth = SPEED!
• Interconnected business
• Flat networks
• COTS software and hardware
• Increasingly shorter lifespans
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
25
27. Millennium Systems
• Highly digital, highly complex
• Highly interconnected, highly layered
• Bitflocking, dynamic emergent behavior
• New protocols
• New interdependencies
• Homogenization
• Innovation treadmill; constant lifespan flux
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
26
28. Bigger, Better, Faster
• ARRA and other green dollars are flowing
• SCADA devices now come with a flash-webserver-
WiMax-mesh-ZigBee-kitchensink
• Mixing legacy and bleeding edge tech is difficult
• Logical distance between kinetic endpoint and HMI
is exponentially increasing; “hyperembeddedness”
• Most (but not all) vendors put features first, security
last; this will not change in the foreseeable future
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
27
29. Advantage: Attackers
• Security approaches favor new installations, legacy
environments are still vulnerable
• Very difficult to replace/patch in-service devices
• Stuxnet: game changer, sets the new bar - even
when sophisticated attacks aren’t necessary
• Organized crime will top Nation States and Non-
Government Organizations (NGOs) as biggest threat
• Welcome to the cyberarms race
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
28
30. Cybersecurity Vocabulary
• Network • Virus/Trojan/Malware
• Connectivity • Firmware
• Packet • Denial of Service
• Header • NIST
• Traffic • NERC CIP
• Bandwidth • SCADA
• Latency • Encryption
• Internet Protocol • Credential
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
29
31. Information Technology 101
• Connectivity: how the systems talk to each other
– Hub “dumb”
– Switch
Device
Intelligence
– Managed Switch
– Router
– Firewall
– Next Generation Firewall
– Workstation/Server “smart”
• What are we building for?
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
30
32. Three Flavors
Business
Systems
Control
Systems
“Smart
Grid”
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
31
33. Business IT Security
• Typical approach: password, firewall, anti-virus, etc
• Protecting four key domains
1. Confidentiality – preventing unauthorized access to
information
2. Integrity – preventing the unauthorized modification or
theft of information
3. Availability – preventing the denial of service and ensuring
authorized access to information
4. Non-Repudiation – preventing the denial of an action that
took place or the claim of an action that did not take place
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
32
34. What Is A Control System?
Human
Machine
Interface
L1 START L2
STOP
M
M O.L.
M S
Control
Programmable M R
Valve
Logic Basic Motor Control
Controllers Ladder Logic
I/O Remote Comms Master
Meters PLC Protocols SCADA
Sensors IED Wired Server
Field RTU Wireless HMI
Devices Controller EMS
DCS
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
33
35. IT vs ICS Security
TOPIC
Informa5on
Technology
Industrial
Control
Systems
AnA-‐Virus/Mobile
Code
Common,
widely
used
Uncommon,
impossible
Typical
Lifespan
3-‐5
years
15-‐20
years
Outsourcing
Common,
widely
used
Rare,
uncommon
Patch
Management
Regular,
scheduled
Slow,
vendor-‐specific
Change
Management
Regular,
scheduled
Uncommon
Time
CriAcal
Content
Generally
delays
accepted
CriAcal
due
to
safety
Availability
Generally
delays
accepted
24
x
7
x
365
x
forever
Security
Awareness
Good
Poor,
except
physical
Security
TesAng/Audit
Scheduled,
mandated
Occasional,
uncommon
Physical
Security
Secure
Remote
and
unmanned
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
34
36. Typical Architecture
Firewall
SCADA
and
Internet
other
field
devices
Corporate
Network
Process
Control
Network
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
35
37. Smart Grid Complications
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
36
38. Smart Grid Complications
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
37
39. What Have You Seen?
• Did cyber security appear in your filings and
hearings?
• How did this fit in your list of priorities?
• What elements were most important?
– Privacy?
– Reliability?
– Cost?
– Security Effectiveness?
– Upgradeability as a solution or vulnerability?
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
38
40. Threat Sources
• Inadvertent errors
• Power system equipment
malfunctions
• Communication
equipment failure
• Deliberate malicious acts
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
39
41. Threat Types
• Replay attacks
• Indiscretions (leaks) by
personnel
• Brute force
• Bypass controls
• Man-in-the-Middle
• Denial of Service
• Resource Exhaustion
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
40
42. Nothing New Under The Sun
• Mature security practices; highly refined
– Defense in Depth
– Principle of Least Privilege
– Segregation of Duties
– Need to Know
– Confidentiality, Integrity, Availability
• No Silver Bullet, 100%, Total Security
• Strong protection has never been easy, inexpensive
or quick to implement
• Tradeoff between functionality and security
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
41
43. Strategies for Defense In Depth
• Governance, policy
• Authentication
• Authorization
• Admission control
• Encryption
• Integrity checking
• Auditing, detection
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
42
44. Defense In Depth: Example
• NERC CIP Standards
– CIP-002 – Critical Cyber Asset Identification
– CIP-003 – Security Management Controls
– CIP-004 – Personnel & Training
– CIP-005 – Electronic Security Perimeter(s)
– CIP-006 – Physical Security
– CIP-007 – Systems Security Management
– CIP-008 – Incident Reporting & Response Planning
– CIP-009 – Recovery Plans for Critical Cyber Assets
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
43
45. Proven Security Solutions
• Physical Protection
• Network Controls: Admission, Segmentation
• Strong ID, Authentication and Authorization
• Aware Person System (Training and Awareness)
• Intrusion Detection/Prevention
• Integrity Assurance
• Application Whitelisting
• Response and Recovery
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
44
46. You Don’t Need a Perfect Defense
• If defensive measures can be beaten, does the
system ensure the results of the attack are :
– Unprofitable
– Limited in its ramifications
– Hard enough to make the “juice” not worth the “squeeze”
– Difficult to replicate
– Quickly and easily recoverable
– Traceable and easy to detect; and
– Otherwise unappealing
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
45
47. NARUC Why Your Role Is Increasing
l Increased attacks to business processes
l NERC CIP compliance
l The deployment of smart grid
l These are increasingly drivers for cost recovery
consideration and other contexts in cases that
are coming your way very soon
l Is that reflected in what you’re seeing / hearing?
48. Proposal: Roles for
Public Utility Commissions
1. Ask the right questions when considering cost
recovery of prudent utility expenditures for cyber
NARUC
security.
2. Assuring that cyber security requirements that
utilities are subject to are being met.
§ PUC Staff need to be up-to-date on cyber security
requirements and potential threats.
3. Assuring that the PUC’s computer systems
and operations are subject to on-going cyber
security reviews and remediation, and that
disaster recovery plans are in place and
tested.
§ This also included cyber security awareness for agency
employees.
4. Understand and participate in regional and national
efforts for protecting critical infrastructure
49. Cybersecurity Investments:
What To Ask
l Worth saying twice: someone at the PUC staff needs to be up-to-
date on cyber security requirements and potential threats.
NARUC
l Ask how security is addressed (conceptually) for each component
l Don’t accept assurances that all products used were built to be
secure, or that IT solutions will work for SCADA systems. Insist that
vendors document & independently verify their security controls
l Use compliance as a floor, not a ceiling: Ask to see risk
assessment documentation
l Ensure security is budgeted for and individuals are assigned
responsibility
l Ensure service providers (for example, telcos, meter data
processors) are included in risk assessment and provide sufficient
information
l Ensure integrated security between business systems and control
systems for existing grid and for smart grid
48
50. NARUC Three examples of State action
l Pennsylvania
l Missouri
l New York
l PUCs don’t need to become cyber
experts or enforces, but if you ask a
utility a question they will return
with an answer
51. Cybersecurity Requirements
and Resources
• For the Bulk Power System:
– The North American Electric Reliability Corporation --
Standards CIP-002 through CIP-009 (the Critical Cyber Asset
Identification portion of the Critical Infrastructure Protection
standards)
– http://www.nerc.com/page.php?cid=2|20
• For the Smart Grid:
– The National Institute of Standards and Technology (NIST)
smart grid interoperability standards and specifications for
inclusion in the Smart Grid Interoperability Standards
Framework, Release 1.0. These include three volumes on
cyber security
– http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628
• What’s Missing?
– Distribution systems, serial control systems, and other gaps
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
50
52. Smart Grid Investment Grant Program
• Requires a description of how cyber security concerns will be
addressed with respect to the use of best available
equipment and the application of procedures and practices
involving system design, testing, deployment, operations and
decommissioning, including at a minimum:
i. A description of the cyber security risks at each stage of the system
deployment lifecycle,
ii. Cyber security criteria used for vendor and device selection,
iii. Cyber security control strategies,
iv. Descriptions of residual cyber security risks,
v. Relevant cyber security standards and best practices, and
vi. Descriptions of how the project will support/adopt/implement
emerging smart grid security standards
Source: Notice of Intent to Issue a Funding Opportunity Announcement For the Smart Grid Investment Grant Program, April 16, 2009
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
51
53. Is Smart Grid More Vulnerable?
Source: “San Diego Smart Grid Study”, October 2006
Power outages cost between $80 billion and $150 billion every year
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
52
54. Energy Independence and Security Act
o In the Energy Independence and Security Act
(EISA) of 2007, Congress established the
development of a Smart Grid as a national
policy goal.
o Under EISA, NIST is directed to “coordinate
the development of a framework that includes
protocols and model standards for information
management to achieve interoperability of
smart grid devices and systems” as well as
maintain the reliability and security of the
electricity infrastructure.
53
56. Interoperability Framework
Testing and
Certification
Standards
Security Architecture
and Requirements
Conceptual Reference Model
Business and Public Policy
Requirements
55
57. NIST Three Phase Plan
PHASE 1
PHASE 2
Identify an initial set of
Establish public/private
existing consensus
Standards Panel to provide
standards and develop
ongoing recommendations for
a roadmap to fill gaps
new/revised standards
PHASE 3
Testing and
Certification
Framework
2009 2010
56
56
58. Smart Grid – an Opportunity
o Modernization provides an opportunity to
improve security of the Grid
o Integration of new IT and networking
technologies
n Brings new risks as well as an array of security
standards, processes, and tools
o Architecture is key
n Security must be designed in – it cannot be added
on later
57
59. CSWG
o To address the cross-cutting issue of cyber
security, NIST established the Cyber Security
Coordination Task Group (CSCTG) in March 2009
o Moved under the NIST Smart Grid Interoperability
Panel (SGIP) as a standing working group and
was renamed the Cyber Security Working Group
(SGIP–CSWG)
o The CSWG now has more than 475 participants
from the private sector (including vendors and
service providers), academia, regulatory
organizations, national research laboratories, and
federal agencies
58
60. Guidelines for Smart Grid Cyber Security
o NIST Interagency Report 7628 - Augut 2010
n Development of the document lead by NIST
n Represents significant coordination among
o Federal agencies
o Private sector
o Regulators
o Academics
n Document includes material that will be used in
selecting and modifying security requirements
59
61. NISTIR 7628 – What it IS and IS NOT
What it IS
o A tool for organizations that are researching, designing,
developing, and implementing Smart Grid technologies
o May be used as a guideline to evaluate the overall cyber risks to
a Smart Grid system during the design phase and during system
implementation and maintenance
o Guidance for organizations
n Each organization must develop its own cyber security strategy
(including a risk assessment methodology) for the Smart Grid.
What it IS NOT
o It does not prescribe particular solutions
o It is not mandatory
60
63. NISTIR 7628 Content
The NISTIR includes the following
o Executive Summary
o Chapter 1 - Overall cyber security strategy for
the Smart Grid
o Chapter 2 – High level and logical security
architecture
o Chapter 3 – High level security requirements
o Chapter 4 – Cryptography and key
management
62
64. NISTIR 7628 Content (2)
o Chapter 5 - Privacy and the Smart Grid
o Chapter 6 – Vulnerability Classes
o Chapter 7 – Bottom-up security analysis of the
Smart Grid
o Chapter 8 - R&D themes for cyber security in the
Smart Grid
o Chapter 9 – Overview of the standards review
63
65. NISTIR 7628 Content (3)
o Chapter 10 – Key power system use cases for
security requirements
o Appendices A - J
64
66. How to Participate in CSWG
o NIST Smart Grid portal http://nist.gov/
smartgrid
o Cyber Security Working Group
n Lead: Marianne Swanson
(marianne.swanson@nist.gov)
n NIST Support: Tanya Brewer
(tanya.brewer@nist.gov)
o Cyber Security Twiki site
o http://collaborate.nist.gov/twiki-sggrid/bin/view/
SmartGrid/CyberSecurityCTG
65
67. Security of PUC’s computer
systems
This may be the responsibility of another state agency or
NARUC
office, but the implication of a failure will impact the business
operation of the Commission
l Assuring that the computer systems that
the PUC relies have on-going cyber
security reviews and remediation of
identified vulnerabilities.
l Disaster recovery plans are in place and
tested and Continuity of Operation Plans
have been developed.
l Cyber security awareness for agency
employees including social engineering
and insider threats.
68. Continuity of Operation Plans
(COOP)
l Internal contingency plans of government and
business to assure the rapid resumption of essential
NARUC
functions as soon as possible if they are disrupted for
any reason: e.g., fire, tornado, hurricanes, wildfires,
earthquakes, terrorism, pandemics, etc. – Build Self-
reliance and Resiliency
l Helps assure that critical/essential functions can
quickly resume operations
l Addresses key or essential employees, required
facilities, computer system records and back-up data
systems, etc.
l Minimize damage & losses
l Management succession & emergency powers
69. On what cyber systems do you
rely?
l What IT systems
support critical PUC
NARUC
functions?
l What are the backed
up systems?
l What systems are
needed to support
restoration?
l What systems are
needed operationally?
l In what sequence
should systems be
restored?
l What are the
telecommunication
needs and
requirements?
Hourly Loss from Downtime in the
Information Technology Sector:
$1.3 million/hr
72. Resilience Factors
• Robustness
– The ability to operate or stay standing in the face of
disaster
• Resourcefulness
– skillfully managing a disaster once it unfolds
• Rapid Recovery
– The capacity to get things back to normal as quickly as
possible after a disaster
• Learning lessons
– Having the means to absorb the new lessons that can be
drawn from a catastrophe
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
71
73. Resilience Considerations
• Resilience depends on humans
– Human networks are key
– Ability to work together and individually
– Potential for panic or confusion
– Build necessary connections (relationships) in advance
• In the event of an electric power sector cyberattack,
do you know:
– Your role? If not, whose role it is to act?
– Who to call? What they can /should do?
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
72
74. Protecting The Right Stuff
• Very little security actuarial data vs. engineering
actuarial data
• Most organizations don t communicate details of
security breaches
• Most estimates are based on FUD (Fear,
Uncertainty and Doubt)
• Need better/current data on:
– What is being attacked? (most preferred targets)
– Which attacks were successful?
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
73
75. Product/Service Problem(s)
• Utilities are married to their products [and vendors]
for many years
• Most products are very expensive to replace or
upgrade and challenging to coordinate
• Product vendors are trying to balance security and
profit; guess which one wins…
• Some vendors are responsive, most are not
• SCADA Procurement Language can help, but only
for new purchases
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
74
76. What Can State Regulators Do?
• Get educated (even more than today)
• Strategic communication, in all directions
• Build new relationships and reshape old
• Support measures to get actuarial data
• Support secure procurement measures
• Support security training/education
• Support appropriate staffing levels
• Rethink the rate case approach
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
75
77. What Can State Regulators Do?
• Ask questions…
– Are you using the SCADA Procurement Language?
– Are you participating in local, state, regional, national
security/disaster exercises?
– What security training/education/awareness are you
providing to your staff and how often?
– Where do you get your situational awareness data?
– What cybersecurity technologies do you use?
– Have you performed a full [exhaustive] inventory of all
control systems and all associated communication links?
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
76
78. Education and Training
• What is happening in Operations, Federal, States?
• OpSec, Red-Blue, Security Body of Knowledge,
security concepts
• Security practices change rapidly
– Need for training on new tactics and new technology is
perpetual
• Lack of education leads to a false sense of security
– Otherwise known as knowing just enough to be dangerous
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
77
79. Communication
• Ratepayers want a secure grid, until they see the bill
– Expect rate shock
– Rates could triple or more, for some infrastructures
• Common Practice vs. Best Practice
• Early and regular, fact-based communication can
minimize negative public reaction
• Remind ratepayers that smart, informed decisions
are being made
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
78
80. Communication
• Keep the story fresh; lather, rinse, repeat
• Leverage existing Safety communication vehicles/
mechanisms
– Newsletters
– Mailers, billing notices
– Public service announcments
– Sponsored events
• Partner with utilities, Federal agencies and even
Media to convey a unified message
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
79
81. Relationships
• Get out and talk to your operators
• Get to know the industry thought leaders
• What are your peers doing?
• Situational Awareness
– NESCO, VirtualUSA, Einstein, Fusion centers, Infragard…
• Take a partnership approach to the rate case (vs.
adversarial) as much as possible
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
80
82. Closing Thoughts
• Cybersecurity is worth taking seriously, but will have to fit into
a long list of concerns and priorities
• There are few response networks for utility sector
cybersecurity among State Governments
• Few of those evaluating cybersecurity investments
understand cybersecurity
• An unskilled operator of any power tool will hurt themselves
and those around them
– Training and staffing are imperative
• A culture shift is the first ingredient for success
• Soft-skills may matter more than technical skills
The
Na'onal
Electric
Sector
Cybersecurity
Organiza'on
(NESCO)
is
a
DOE-‐funded
EnergySec
Program
81
83. Questions?
Patrick C Miller,
NARUC
President and CEO, EnergySec
Principal Investigator, NESCO
patrick@energysec.org
503-446-1212
Miles Keogh, NARUC Director of Grants & Research
mkeogh@naruc.org
202-898-2217
Bill Hunteman, Chief Cyber Security Advisor
US Department of Energy
Office of Electricity Deliver & Energy Reliability
William.hunteman@doe.gov