SlideShare una empresa de Scribd logo

Don't Get Hacked! Cybersecurity Boot Camp

EnergySec
EnergySec

At the 2011 NARUC Winter Committee Meetings, Patrick Miller teamed up with seasoned security experts Miles Keogh from NARUC and Bill Hunteman from the Department of Energy to deliver an engaging Cybersecurity Boot Camp.

TecnologíaEmpresariales
1 de 83
Descargar para leer sin conexión
NARUC Don’t Get Hacked! Cybersecurity Boot Camp Patrick C Miller, EnergySec / NESCO Bill Hunteman, US DOE Miles Keogh, NARUC February 13 2011 NARUC Winter Committee Meetings Marriott Renaissance, Washington DC
Our Drill Instructors! l Miles Keogh §  Director of Grants and Research, NARUC NARUC l Patrick C Miller §  Founder, President and CEO, EnergySec §  Principal Investigator, National Electric Sector Cybersecurity Organization (NESCO) §  Former Director, NERC CIP Practice, ICF International §  Former Manager, WECC CIP Audits & Investigations §  Corporate Security staff for several Pacific Northwest utilities §  Deep roots in Telecom sector, IT and Industrial Control Systems §  CRISC, CISA, CISSP-ISSAP, SSCP, CEH, CVI, NSA-IAM
Our Drill Instructors! l Bill Hunteman §  Chief Advisor for Cybersecurity, US Department of Energy NARUC §  DOE Chief Information Security Officer (CISO) and Associate CIO for Cyber Security §  Cybersecurity Program Manager for the DOE National Nuclear Security Administration §  Worked in the Los Alamos and Sandia National Laboratories §  Managed cybersecurity research and development activities §  Participated in the development of national and international cyber security criteria §  Joint projects with Russia to improve cyber security in the Russian nuclear weapons complex §  Design and development of high performance computer networks and operating systems for many of the supercomputers used by DOE (and its predecessors) §  Bachelor or Science in Mathematics and Master of Science Electrical Engineering/Computer Science
What We’re Covering Today l What’s the “Cyber” in “Cyber security?” NARUC l What are we trying to protect? l What threats do we face? l What are the challenges of instituting cyber security? l Where do the vulnerabilities within the system exist? l What can Commissions do about it? l What are the policy structures you have to work with?
What Have You Seen? l How well do you understand the confluence of networked and traditional NARUC devices? l Has cybersecurity come before your commission? l What has that looked like? l What questions do you have about cybersecurity? l Is cybersecurity a concern at your commission?
Rising Cybersecurity Threats The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   5  
CyberWar (InfoWar) The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   6  
Aurora The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   7  
Night Dragon •  Recently published by McAfee •  Activity designed to obtain sensitive data from targeted organizations in global oil and energy industries… The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   8  
Night Dragon •  Source appears to be China, but this is difficult to confirm exactly •  Began Nov 2009, possibly as early as 2007 •  Techniques: –  Social engineering –  Spear-phishing attacks –  Exploitation of Microsoft Windows vulnerabilities –  Microsoft Active Directory compromises –  Remote administration tools (RATs) The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   9  
Night Dragon •  Harvesting sensitive competitive proprietary operations, and project-financing information for oil and gas field bids and operations •  Controlled systems, then cracked accounts to move to more sensitive information/systems •  Focus was on operational oil and gas field production systems and financial documents related to field exploration and bidding •  In certain cases, the attackers collected data from SCADA systems The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   10  
Stuxnet •  First publicly disclosed control systems rootkit, but certainly wont be the last... •  USB vector; focused on air-gapped networks •  Highly sophisticated; infects everything, then rewrites PLC logic and hides •  Undermines integrity of control system •  Most regulations wouldn’t have stopped it •  No 100% security against determined adversary The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   11  
SHODAN, ERIPP, ETC The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   12  
SHODAN, ERIPP, ETC Berkeley  Cyclotron  HMI  images   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   13  
There’s An App For That •  “Get mobile access to your control system via an iPhone, iPad, Android and other smartphones and tablet devices. The Ignition Mobile Module gives you instant access to any HMI / SCADA project created with the Ignition Vision Module.” The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   14  
Public Domain The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   15  
Only The Disclosed The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   16  
TwitBookBlogosphere The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   17  
Research and Disclosure •  October 24, 2010, 12:39PM, Threat Post –  SCADA Vendors Still Need Security Wake Up Call •  http://threatpost.com/en_us/blogs/scada-vendors-still-need-security-wake-call-102410 –  Please don t waste my time •  October 28, 2010: ICSJWG Seattle Meeting –  Invensys, IOActive, ICS-CERT presented on case study on Wonderware vulnerability •  Disclosure positions are hotly debated The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   18  
From Obscurity To Novelty •  Smart Meter hacking •  Hacking cookbooks •  Metasploit •  Fuzzers •  Supply chain attacks •  Manuals available in all languages on Internet The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   19  
Shiny Object •  Shiny object for the mass media •  60 minutes •  Wall Street Journal, National Journal, CNN •  Too many IT trade publications to name •  Blockbuster films •  Prime time television shows •  Social Media (blogosphere, Twitter) The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   20  
Economic Drivers •  Recession economy brings unique challenges •  Decreased participation working groups and conferences •  Static or shrinking headcount; increased workload •  Insider threat increases •  Decreased spending on new equipment •  Older products extended beyond intended lifespan •  Security is expensive for customers and vendors The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   21  
People Problem •  Humans are the weakest link in any security system –  Passwords for candy; Social engineering •  Humans are also the strongest link in any security system –  The Aware Person System (APS) –  ICS culture shift is very slow, but can be very powerful •  Danger: unskilled/untrained operators of power tools can cause significant damage –  Increasing complexity = training treadmill The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   22  
People Solution •  So you’ve bought all of the fancy cybersecurity gizmos… –  What about the skilled staff to use them? •  So you’ve put cameras in all critical sites… –  What about the staff to monitor and respond? •  An appropriate balance of skilled people and current technology must be used The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   23  
Back In The Good Old Days •  Pneumatic, electromechanical, analog •  Telephone meant POTS or “bat phone” •  No Internet •  Less automation •  Less complexity •  Proprietary •  Long life span The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   24  
ICS Gen-X •  Automation, more complexity •  Internet Protocol (TCP/UDP/etc) •  Data, more data and even more data •  Processing power, memory, bandwidth = SPEED! •  Interconnected business •  Flat networks •  COTS software and hardware •  Increasingly shorter lifespans The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   25  
Millennium Systems •  Highly digital, highly complex •  Highly interconnected, highly layered •  Bitflocking, dynamic emergent behavior •  New protocols •  New interdependencies •  Homogenization •  Innovation treadmill; constant lifespan flux The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   26  
Bigger, Better, Faster •  ARRA and other green dollars are flowing •  SCADA devices now come with a flash-webserver- WiMax-mesh-ZigBee-kitchensink •  Mixing legacy and bleeding edge tech is difficult •  Logical distance between kinetic endpoint and HMI is exponentially increasing; “hyperembeddedness” •  Most (but not all) vendors put features first, security last; this will not change in the foreseeable future The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   27  
Advantage: Attackers •  Security approaches favor new installations, legacy environments are still vulnerable •  Very difficult to replace/patch in-service devices •  Stuxnet: game changer, sets the new bar - even when sophisticated attacks aren’t necessary •  Organized crime will top Nation States and Non- Government Organizations (NGOs) as biggest threat •  Welcome to the cyberarms race The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   28  
Cybersecurity Vocabulary •  Network •  Virus/Trojan/Malware •  Connectivity •  Firmware •  Packet •  Denial of Service •  Header •  NIST •  Traffic •  NERC CIP •  Bandwidth •  SCADA •  Latency •  Encryption •  Internet Protocol •  Credential The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   29  
Information Technology 101 •  Connectivity: how the systems talk to each other –  Hub “dumb”   –  Switch Device  Intelligence   –  Managed Switch –  Router –  Firewall –  Next Generation Firewall –  Workstation/Server “smart”   •  What are we building for? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   30  
Three Flavors Business  Systems   Control  Systems   “Smart  Grid”   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   31  
Business IT Security •  Typical approach: password, firewall, anti-virus, etc •  Protecting four key domains 1. Confidentiality – preventing unauthorized access to information 2. Integrity – preventing the unauthorized modification or theft of information 3. Availability – preventing the denial of service and ensuring authorized access to information 4. Non-Repudiation – preventing the denial of an action that took place or the claim of an action that did not take place The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   32  
What Is A Control System? Human Machine Interface L1 START L2 STOP M M O.L. M S Control Programmable M R Valve Logic Basic Motor Control Controllers Ladder Logic I/O Remote Comms Master Meters PLC Protocols SCADA Sensors IED Wired Server Field RTU Wireless HMI Devices Controller EMS DCS The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   33  
IT vs ICS Security TOPIC   Informa5on  Technology   Industrial  Control  Systems   AnA-­‐Virus/Mobile  Code   Common,  widely  used   Uncommon,  impossible   Typical  Lifespan   3-­‐5  years   15-­‐20  years   Outsourcing   Common,  widely  used   Rare,  uncommon   Patch  Management   Regular,  scheduled   Slow,  vendor-­‐specific   Change  Management   Regular,  scheduled   Uncommon   Time  CriAcal  Content   Generally  delays  accepted   CriAcal  due  to  safety   Availability   Generally  delays  accepted     24  x  7  x  365  x  forever   Security  Awareness   Good   Poor,  except  physical   Security  TesAng/Audit   Scheduled,  mandated   Occasional,  uncommon   Physical  Security   Secure   Remote  and  unmanned   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   34  
Typical Architecture Firewall   SCADA  and   Internet   other  field   devices     Corporate  Network   Process   Control   Network   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   35  
Smart Grid Complications The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   36  
Smart Grid Complications The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   37  
What Have You Seen? •  Did cyber security appear in your filings and hearings? •  How did this fit in your list of priorities? •  What elements were most important? –  Privacy? –  Reliability? –  Cost? –  Security Effectiveness? –  Upgradeability as a solution or vulnerability? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   38  
Threat Sources •  Inadvertent errors •  Power system equipment malfunctions •  Communication equipment failure •  Deliberate malicious acts The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   39  
Threat Types •  Replay attacks •  Indiscretions (leaks) by personnel •  Brute force •  Bypass controls •  Man-in-the-Middle •  Denial of Service •  Resource Exhaustion The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   40  
Nothing New Under The Sun •  Mature security practices; highly refined –  Defense in Depth –  Principle of Least Privilege –  Segregation of Duties –  Need to Know –  Confidentiality, Integrity, Availability •  No Silver Bullet, 100%, Total Security •  Strong protection has never been easy, inexpensive or quick to implement •  Tradeoff between functionality and security The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   41  
Strategies for Defense In Depth •  Governance, policy •  Authentication •  Authorization •  Admission control •  Encryption •  Integrity checking •  Auditing, detection The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   42  
Defense In Depth: Example •  NERC CIP Standards –  CIP-002 – Critical Cyber Asset Identification –  CIP-003 – Security Management Controls –  CIP-004 – Personnel & Training –  CIP-005 – Electronic Security Perimeter(s) –  CIP-006 – Physical Security –  CIP-007 – Systems Security Management –  CIP-008 – Incident Reporting & Response Planning –  CIP-009 – Recovery Plans for Critical Cyber Assets The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   43  
Proven Security Solutions •  Physical Protection •  Network Controls: Admission, Segmentation •  Strong ID, Authentication and Authorization •  Aware Person System (Training and Awareness) •  Intrusion Detection/Prevention •  Integrity Assurance •  Application Whitelisting •  Response and Recovery The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   44  
You Don’t Need a Perfect Defense •  If defensive measures can be beaten, does the system ensure the results of the attack are : –  Unprofitable –  Limited in its ramifications –  Hard enough to make the “juice” not worth the “squeeze” –  Difficult to replicate –  Quickly and easily recoverable –  Traceable and easy to detect; and –  Otherwise unappealing The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   45  
NARUC Why Your Role Is Increasing l  Increased attacks to business processes l  NERC CIP compliance l  The deployment of smart grid l  These are increasingly drivers for cost recovery consideration and other contexts in cases that are coming your way very soon l  Is that reflected in what you’re seeing / hearing?
Proposal: Roles for Public Utility Commissions 1.  Ask the right questions when considering cost recovery of prudent utility expenditures for cyber NARUC security. 2.  Assuring that cyber security requirements that utilities are subject to are being met. §  PUC Staff need to be up-to-date on cyber security requirements and potential threats. 3.  Assuring that the PUC’s computer systems and operations are subject to on-going cyber security reviews and remediation, and that disaster recovery plans are in place and tested. §  This also included cyber security awareness for agency employees. 4.  Understand and participate in regional and national efforts for protecting critical infrastructure
Cybersecurity Investments: What To Ask l  Worth saying twice: someone at the PUC staff needs to be up-to- date on cyber security requirements and potential threats. NARUC l  Ask how security is addressed (conceptually) for each component l  Don’t accept assurances that all products used were built to be secure, or that IT solutions will work for SCADA systems. Insist that vendors document & independently verify their security controls l  Use compliance as a floor, not a ceiling: Ask to see risk assessment documentation l  Ensure security is budgeted for and individuals are assigned responsibility l  Ensure service providers (for example, telcos, meter data processors) are included in risk assessment and provide sufficient information l  Ensure integrated security between business systems and control systems for existing grid and for smart grid 48
NARUC Three examples of State action l Pennsylvania l Missouri l New York l PUCs don’t need to become cyber experts or enforces, but if you ask a utility a question they will return with an answer
Cybersecurity Requirements and Resources •  For the Bulk Power System: –  The North American Electric Reliability Corporation -- Standards CIP-002 through CIP-009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection standards) –  http://www.nerc.com/page.php?cid=2|20 •  For the Smart Grid: –  The National Institute of Standards and Technology (NIST) smart grid interoperability standards and specifications for inclusion in the Smart Grid Interoperability Standards Framework, Release 1.0. These include three volumes on cyber security –  http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628 •  What’s Missing? –  Distribution systems, serial control systems, and other gaps The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   50  
Smart Grid Investment Grant Program •  Requires a description of how cyber security concerns will be addressed with respect to the use of best available equipment and the application of procedures and practices involving system design, testing, deployment, operations and decommissioning, including at a minimum: i.  A description of the cyber security risks at each stage of the system deployment lifecycle, ii.  Cyber security criteria used for vendor and device selection, iii.  Cyber security control strategies, iv.  Descriptions of residual cyber security risks, v.  Relevant cyber security standards and best practices, and vi.  Descriptions of how the project will support/adopt/implement emerging smart grid security standards Source: Notice of Intent to Issue a Funding Opportunity Announcement For the Smart Grid Investment Grant Program, April 16, 2009 The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   51  
Is Smart Grid More Vulnerable? Source: “San Diego Smart Grid Study”, October 2006 Power outages cost between $80 billion and $150 billion every year The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   52  
Energy Independence and Security Act o  In the Energy Independence and Security Act (EISA) of 2007, Congress established the development of a Smart Grid as a national policy goal. o  Under EISA, NIST is directed to “coordinate the development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems” as well as maintain the reliability and security of the electricity infrastructure. 53
Conceptual Reference Diagram for Smart Grid Information Networks 54
Interoperability Framework Testing and Certification Standards Security Architecture and Requirements Conceptual Reference Model Business and Public Policy Requirements 55
NIST Three Phase Plan PHASE 1 PHASE 2 Identify an initial set of Establish public/private existing consensus Standards Panel to provide standards and develop ongoing recommendations for a roadmap to fill gaps new/revised standards PHASE 3 Testing and Certification Framework 2009 2010 56 56
Smart Grid – an Opportunity o  Modernization provides an opportunity to improve security of the Grid o  Integration of new IT and networking technologies n  Brings new risks as well as an array of security standards, processes, and tools o  Architecture is key n  Security must be designed in – it cannot be added on later 57
CSWG o  To address the cross-cutting issue of cyber security, NIST established the Cyber Security Coordination Task Group (CSCTG) in March 2009 o  Moved under the NIST Smart Grid Interoperability Panel (SGIP) as a standing working group and was renamed the Cyber Security Working Group (SGIP–CSWG) o  The CSWG now has more than 475 participants from the private sector (including vendors and service providers), academia, regulatory organizations, national research laboratories, and federal agencies 58
Guidelines for Smart Grid Cyber Security o  NIST Interagency Report 7628 - Augut 2010 n  Development of the document lead by NIST n  Represents significant coordination among o Federal agencies o Private sector o Regulators o Academics n  Document includes material that will be used in selecting and modifying security requirements 59
NISTIR 7628 – What it IS and IS NOT What it IS o  A tool for organizations that are researching, designing, developing, and implementing Smart Grid technologies o  May be used as a guideline to evaluate the overall cyber risks to a Smart Grid system during the design phase and during system implementation and maintenance o  Guidance for organizations n  Each organization must develop its own cyber security strategy (including a risk assessment methodology) for the Smart Grid. What it IS NOT o  It does not prescribe particular solutions o  It is not mandatory 60
Smart Grid Cyber Security Strategy - Tasks 64(7$2(.*$2( 8&*9:$#$ B<?C+<D&(*&*9:$#$ -#&%2,C3<=?<&2&%E( +<=*#&5 P4(N#$Q(8$$2$$=2&% ! /+2&%#J:(*$$2%$ ! R>9&2,*A#9#%#2$ ! BH,2*%$ ! /=?*3%$ ;<%%<=(>?(*&*9:$#$ -@>9&2,*A#9#%:( 0,#@*3:( 39*$$2$5 8$$2$$=2&% K4(L#'H(M2@29( )23>,#%:( N2O>#,2=2&%$ !"#$%#&'( FA4()=*,%(G,#+( F*4()23>,#%:( )%*&+*,+$ )%*&+*,+$( 8,3H#%23%>,2 -./01(/!!!1( 8$$2$$=2&% /!.1(2%345 I4(.<&J<,=#%: 8$$2$$=2&% 61
NISTIR 7628 Content The NISTIR includes the following o  Executive Summary o  Chapter 1 - Overall cyber security strategy for the Smart Grid o  Chapter 2 – High level and logical security architecture o  Chapter 3 – High level security requirements o  Chapter 4 – Cryptography and key management 62
NISTIR 7628 Content (2) o  Chapter 5 - Privacy and the Smart Grid o  Chapter 6 – Vulnerability Classes o  Chapter 7 – Bottom-up security analysis of the Smart Grid o  Chapter 8 - R&D themes for cyber security in the Smart Grid o  Chapter 9 – Overview of the standards review 63
NISTIR 7628 Content (3) o  Chapter 10 – Key power system use cases for security requirements o  Appendices A - J 64
How to Participate in CSWG o  NIST Smart Grid portal http://nist.gov/ smartgrid o  Cyber Security Working Group n  Lead: Marianne Swanson (marianne.swanson@nist.gov) n  NIST Support: Tanya Brewer (tanya.brewer@nist.gov) o  Cyber Security Twiki site o  http://collaborate.nist.gov/twiki-sggrid/bin/view/ SmartGrid/CyberSecurityCTG 65
Security of PUC’s computer systems This may be the responsibility of another state agency or NARUC office, but the implication of a failure will impact the business operation of the Commission l Assuring that the computer systems that the PUC relies have on-going cyber security reviews and remediation of identified vulnerabilities. l Disaster recovery plans are in place and tested and Continuity of Operation Plans have been developed. l Cyber security awareness for agency employees including social engineering and insider threats.
Continuity of Operation Plans (COOP) l  Internal contingency plans of government and business to assure the rapid resumption of essential NARUC functions as soon as possible if they are disrupted for any reason: e.g., fire, tornado, hurricanes, wildfires, earthquakes, terrorism, pandemics, etc. – Build Self- reliance and Resiliency l  Helps assure that critical/essential functions can quickly resume operations l  Addresses key or essential employees, required facilities, computer system records and back-up data systems, etc. l  Minimize damage & losses l  Management succession & emergency powers
On what cyber systems do you rely? l  What IT systems support critical PUC NARUC functions? l  What are the backed up systems? l  What systems are needed to support restoration? l  What systems are needed operationally? l  In what sequence should systems be restored? l  What are the telecommunication needs and requirements? Hourly Loss from Downtime in the Information Technology Sector: $1.3 million/hr
NARUC What if this happened?
NARUC Employee Education http://www.michigan.gov/cybersecurity
Resilience Factors •  Robustness –  The ability to operate or stay standing in the face of disaster •  Resourcefulness –  skillfully managing a disaster once it unfolds •  Rapid Recovery –  The capacity to get things back to normal as quickly as possible after a disaster •  Learning lessons –  Having the means to absorb the new lessons that can be drawn from a catastrophe The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   71  
Resilience Considerations •  Resilience depends on humans –  Human networks are key –  Ability to work together and individually –  Potential for panic or confusion –  Build necessary connections (relationships) in advance •  In the event of an electric power sector cyberattack, do you know: –  Your role? If not, whose role it is to act? –  Who to call? What they can /should do? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   72  
Protecting The Right Stuff •  Very little security actuarial data vs. engineering actuarial data •  Most organizations don t communicate details of security breaches •  Most estimates are based on FUD (Fear, Uncertainty and Doubt) •  Need better/current data on: –  What is being attacked? (most preferred targets) –  Which attacks were successful? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   73  
Product/Service Problem(s) •  Utilities are married to their products [and vendors] for many years •  Most products are very expensive to replace or upgrade and challenging to coordinate •  Product vendors are trying to balance security and profit; guess which one wins… •  Some vendors are responsive, most are not •  SCADA Procurement Language can help, but only for new purchases The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   74  
What Can State Regulators Do? •  Get educated (even more than today) •  Strategic communication, in all directions •  Build new relationships and reshape old •  Support measures to get actuarial data •  Support secure procurement measures •  Support security training/education •  Support appropriate staffing levels •  Rethink the rate case approach The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   75  
What Can State Regulators Do? •  Ask questions… –  Are you using the SCADA Procurement Language? –  Are you participating in local, state, regional, national security/disaster exercises? –  What security training/education/awareness are you providing to your staff and how often? –  Where do you get your situational awareness data? –  What cybersecurity technologies do you use? –  Have you performed a full [exhaustive] inventory of all control systems and all associated communication links? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   76  
Education and Training •  What is happening in Operations, Federal, States? •  OpSec, Red-Blue, Security Body of Knowledge, security concepts •  Security practices change rapidly –  Need for training on new tactics and new technology is perpetual •  Lack of education leads to a false sense of security –  Otherwise known as knowing just enough to be dangerous The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   77  
Communication •  Ratepayers want a secure grid, until they see the bill –  Expect rate shock –  Rates could triple or more, for some infrastructures •  Common Practice vs. Best Practice •  Early and regular, fact-based communication can minimize negative public reaction •  Remind ratepayers that smart, informed decisions are being made The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   78  
Communication •  Keep the story fresh; lather, rinse, repeat •  Leverage existing Safety communication vehicles/ mechanisms –  Newsletters –  Mailers, billing notices –  Public service announcments –  Sponsored events •  Partner with utilities, Federal agencies and even Media to convey a unified message The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   79  
Relationships •  Get out and talk to your operators •  Get to know the industry thought leaders •  What are your peers doing? •  Situational Awareness –  NESCO, VirtualUSA, Einstein, Fusion centers, Infragard… •  Take a partnership approach to the rate case (vs. adversarial) as much as possible The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   80  
Closing Thoughts •  Cybersecurity is worth taking seriously, but will have to fit into a long list of concerns and priorities •  There are few response networks for utility sector cybersecurity among State Governments •  Few of those evaluating cybersecurity investments understand cybersecurity •  An unskilled operator of any power tool will hurt themselves and those around them –  Training and staffing are imperative •  A culture shift is the first ingredient for success •  Soft-skills may matter more than technical skills The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   81  
Questions? Patrick C Miller, NARUC President and CEO, EnergySec Principal Investigator, NESCO patrick@energysec.org 503-446-1212 Miles Keogh, NARUC Director of Grants & Research mkeogh@naruc.org 202-898-2217 Bill Hunteman, Chief Cyber Security Advisor US Department of Energy Office of Electricity Deliver & Energy Reliability William.hunteman@doe.gov

Recomendados

Emerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD MeetingEmerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD Meeting
EnergySec
 
NESCO: A Closer Look
NESCO: A Closer LookNESCO: A Closer Look
NESCO: A Closer Look
EnergySec
 
EnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec and the NESCO overview
EnergySec and the NESCO overview
EnergySec
 
Interoperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business PerspectiveInteroperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business Perspective
EnergySec
 
Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
Bob Radvanovsky
 
The Insecurity of Industrial Things
The Insecurity of Industrial ThingsThe Insecurity of Industrial Things
The Insecurity of Industrial Things
Senrio
 
Scot Secure 2015
Scot Secure 2015Scot Secure 2015
Scot Secure 2015
Ray Bugg
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
Eric Gallant
 

Recomendados

Emerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD MeetingEmerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD Meeting
EnergySec
 
NESCO: A Closer Look
NESCO: A Closer LookNESCO: A Closer Look
NESCO: A Closer Look
EnergySec
 
EnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec and the NESCO overview
EnergySec and the NESCO overview
EnergySec
 
Interoperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business PerspectiveInteroperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business Perspective
EnergySec
 
Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
Bob Radvanovsky
 
The Insecurity of Industrial Things
The Insecurity of Industrial ThingsThe Insecurity of Industrial Things
The Insecurity of Industrial Things
Senrio
 
Scot Secure 2015
Scot Secure 2015Scot Secure 2015
Scot Secure 2015
Ray Bugg
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
Eric Gallant
 
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
EnergySec
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
Charles "Chuck" Speicher Jr.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
Bob Marcus
 
Smart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit RevereSmart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit Revere
hhanebeck
 
TAC Subscription Webinar
TAC Subscription WebinarTAC Subscription Webinar
TAC Subscription Webinar
EnergySec
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
Clay Melugin
 
Using the power of data by David Wollman
Using the power of data by David WollmanUsing the power of data by David Wollman
Using the power of data by David Wollman
MaRS Discovery District
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
Charles "Chuck" Speicher Jr.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
Introduction by ann cavoukian
Introduction by ann cavoukianIntroduction by ann cavoukian
Introduction by ann cavoukian
MaRS Discovery District
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
NISIInstituut
 
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
CableLabs
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança
Cisco do Brasil
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire
 
EnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec & NESCO Overview
EnergySec & NESCO Overview
EnergySec
 
One Security Device to Rule Them All
One Security Device to Rule Them AllOne Security Device to Rule Them All
One Security Device to Rule Them All
InnoTech
 
NESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD MeetingNESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD Meeting
EnergySec
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity Requirements
EnergySec
 

Más contenido relacionado

La actualidad más candente

Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
TAC Subscription Webinar
TAC Subscription WebinarTAC Subscription Webinar
TAC Subscription Webinar
EnergySec
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
Clay Melugin
 
Using the power of data by David Wollman
Using the power of data by David WollmanUsing the power of data by David Wollman
Using the power of data by David Wollman
MaRS Discovery District
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 

La actualidad más candente (20)

Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Aut...
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
 
Smart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit RevereSmart Grid Cyber Security Summit Revere
Smart Grid Cyber Security Summit Revere
 
TAC Subscription Webinar
TAC Subscription WebinarTAC Subscription Webinar
TAC Subscription Webinar
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
 
Using the power of data by David Wollman
Using the power of data by David WollmanUsing the power of data by David Wollman
Using the power of data by David Wollman
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
Introduction by ann cavoukian
Introduction by ann cavoukianIntroduction by ann cavoukian
Introduction by ann cavoukian
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
EnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec & NESCO Overview
EnergySec & NESCO Overview
 
One Security Device to Rule Them All
One Security Device to Rule Them AllOne Security Device to Rule Them All
One Security Device to Rule Them All
 

Similar a Don't Get Hacked! Cybersecurity Boot Camp

Next Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric SectorNext Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric Sector
EnergySec
 
EISS Cybersecurity Briefing
EISS Cybersecurity BriefingEISS Cybersecurity Briefing
EISS Cybersecurity Briefing
EnergySec
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
CoreTrace Corporation
 
Security From the Ground Up
Security From the Ground UpSecurity From the Ground Up
Security From the Ground Up
EnergySec
 

Similar a Don't Get Hacked! Cybersecurity Boot Camp (20)

NESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD MeetingNESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD Meeting
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity Requirements
 
Next Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric SectorNext Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric Sector
 
Next Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric SectorNext Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric Sector
 
EISS Cybersecurity Briefing
EISS Cybersecurity BriefingEISS Cybersecurity Briefing
EISS Cybersecurity Briefing
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C K
 
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
Bridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITBridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and IT
 
Security From the Ground Up
Security From the Ground UpSecurity From the Ground Up
Security From the Ground Up
 
Security From the Ground Up
Security From the Ground UpSecurity From the Ground Up
Security From the Ground Up
 
Power Grid Cybersecurity
Power Grid CybersecurityPower Grid Cybersecurity
Power Grid Cybersecurity
 
SCADA Security in CDIC 2009
SCADA Security in CDIC 2009SCADA Security in CDIC 2009
SCADA Security in CDIC 2009
 
Capstone Paper
Capstone PaperCapstone Paper
Capstone Paper
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7
 
T063500000200201 ppte
T063500000200201 ppteT063500000200201 ppte
T063500000200201 ppte
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIP
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity Mess
 

Más de EnergySec

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
EnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
EnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
EnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
EnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
EnergySec
 

Más de EnergySec (20)

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Don't Get Hacked! Cybersecurity Boot Camp

  • 1. NARUC Don’t Get Hacked! Cybersecurity Boot Camp Patrick C Miller, EnergySec / NESCO Bill Hunteman, US DOE Miles Keogh, NARUC February 13 2011 NARUC Winter Committee Meetings Marriott Renaissance, Washington DC
  • 2. Our Drill Instructors! l Miles Keogh §  Director of Grants and Research, NARUC NARUC l Patrick C Miller §  Founder, President and CEO, EnergySec §  Principal Investigator, National Electric Sector Cybersecurity Organization (NESCO) §  Former Director, NERC CIP Practice, ICF International §  Former Manager, WECC CIP Audits & Investigations §  Corporate Security staff for several Pacific Northwest utilities §  Deep roots in Telecom sector, IT and Industrial Control Systems §  CRISC, CISA, CISSP-ISSAP, SSCP, CEH, CVI, NSA-IAM
  • 3. Our Drill Instructors! l Bill Hunteman §  Chief Advisor for Cybersecurity, US Department of Energy NARUC §  DOE Chief Information Security Officer (CISO) and Associate CIO for Cyber Security §  Cybersecurity Program Manager for the DOE National Nuclear Security Administration §  Worked in the Los Alamos and Sandia National Laboratories §  Managed cybersecurity research and development activities §  Participated in the development of national and international cyber security criteria §  Joint projects with Russia to improve cyber security in the Russian nuclear weapons complex §  Design and development of high performance computer networks and operating systems for many of the supercomputers used by DOE (and its predecessors) §  Bachelor or Science in Mathematics and Master of Science Electrical Engineering/Computer Science
  • 4. What We’re Covering Today l What’s the “Cyber” in “Cyber security?” NARUC l What are we trying to protect? l What threats do we face? l What are the challenges of instituting cyber security? l Where do the vulnerabilities within the system exist? l What can Commissions do about it? l What are the policy structures you have to work with?
  • 5. What Have You Seen? l How well do you understand the confluence of networked and traditional NARUC devices? l Has cybersecurity come before your commission? l What has that looked like? l What questions do you have about cybersecurity? l Is cybersecurity a concern at your commission?
  • 6. Rising Cybersecurity Threats The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   5  
  • 7. CyberWar (InfoWar) The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   6  
  • 8. Aurora The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   7  
  • 9. Night Dragon •  Recently published by McAfee •  Activity designed to obtain sensitive data from targeted organizations in global oil and energy industries… The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   8  
  • 10. Night Dragon •  Source appears to be China, but this is difficult to confirm exactly •  Began Nov 2009, possibly as early as 2007 •  Techniques: –  Social engineering –  Spear-phishing attacks –  Exploitation of Microsoft Windows vulnerabilities –  Microsoft Active Directory compromises –  Remote administration tools (RATs) The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   9  
  • 11. Night Dragon •  Harvesting sensitive competitive proprietary operations, and project-financing information for oil and gas field bids and operations •  Controlled systems, then cracked accounts to move to more sensitive information/systems •  Focus was on operational oil and gas field production systems and financial documents related to field exploration and bidding •  In certain cases, the attackers collected data from SCADA systems The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   10  
  • 12. Stuxnet •  First publicly disclosed control systems rootkit, but certainly wont be the last... •  USB vector; focused on air-gapped networks •  Highly sophisticated; infects everything, then rewrites PLC logic and hides •  Undermines integrity of control system •  Most regulations wouldn’t have stopped it •  No 100% security against determined adversary The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   11  
  • 13. SHODAN, ERIPP, ETC The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   12  
  • 14. SHODAN, ERIPP, ETC Berkeley  Cyclotron  HMI  images   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   13  
  • 15. There’s An App For That •  “Get mobile access to your control system via an iPhone, iPad, Android and other smartphones and tablet devices. The Ignition Mobile Module gives you instant access to any HMI / SCADA project created with the Ignition Vision Module.” The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   14  
  • 16. Public Domain The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   15  
  • 17. Only The Disclosed The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   16  
  • 18. TwitBookBlogosphere The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   17  
  • 19. Research and Disclosure •  October 24, 2010, 12:39PM, Threat Post –  SCADA Vendors Still Need Security Wake Up Call •  http://threatpost.com/en_us/blogs/scada-vendors-still-need-security-wake-call-102410 –  Please don t waste my time •  October 28, 2010: ICSJWG Seattle Meeting –  Invensys, IOActive, ICS-CERT presented on case study on Wonderware vulnerability •  Disclosure positions are hotly debated The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   18  
  • 20. From Obscurity To Novelty •  Smart Meter hacking •  Hacking cookbooks •  Metasploit •  Fuzzers •  Supply chain attacks •  Manuals available in all languages on Internet The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   19  
  • 21. Shiny Object •  Shiny object for the mass media •  60 minutes •  Wall Street Journal, National Journal, CNN •  Too many IT trade publications to name •  Blockbuster films •  Prime time television shows •  Social Media (blogosphere, Twitter) The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   20  
  • 22. Economic Drivers •  Recession economy brings unique challenges •  Decreased participation working groups and conferences •  Static or shrinking headcount; increased workload •  Insider threat increases •  Decreased spending on new equipment •  Older products extended beyond intended lifespan •  Security is expensive for customers and vendors The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   21  
  • 23. People Problem •  Humans are the weakest link in any security system –  Passwords for candy; Social engineering •  Humans are also the strongest link in any security system –  The Aware Person System (APS) –  ICS culture shift is very slow, but can be very powerful •  Danger: unskilled/untrained operators of power tools can cause significant damage –  Increasing complexity = training treadmill The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   22  
  • 24. People Solution •  So you’ve bought all of the fancy cybersecurity gizmos… –  What about the skilled staff to use them? •  So you’ve put cameras in all critical sites… –  What about the staff to monitor and respond? •  An appropriate balance of skilled people and current technology must be used The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   23  
  • 25. Back In The Good Old Days •  Pneumatic, electromechanical, analog •  Telephone meant POTS or “bat phone” •  No Internet •  Less automation •  Less complexity •  Proprietary •  Long life span The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   24  
  • 26. ICS Gen-X •  Automation, more complexity •  Internet Protocol (TCP/UDP/etc) •  Data, more data and even more data •  Processing power, memory, bandwidth = SPEED! •  Interconnected business •  Flat networks •  COTS software and hardware •  Increasingly shorter lifespans The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   25  
  • 27. Millennium Systems •  Highly digital, highly complex •  Highly interconnected, highly layered •  Bitflocking, dynamic emergent behavior •  New protocols •  New interdependencies •  Homogenization •  Innovation treadmill; constant lifespan flux The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   26  
  • 28. Bigger, Better, Faster •  ARRA and other green dollars are flowing •  SCADA devices now come with a flash-webserver- WiMax-mesh-ZigBee-kitchensink •  Mixing legacy and bleeding edge tech is difficult •  Logical distance between kinetic endpoint and HMI is exponentially increasing; “hyperembeddedness” •  Most (but not all) vendors put features first, security last; this will not change in the foreseeable future The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   27  
  • 29. Advantage: Attackers •  Security approaches favor new installations, legacy environments are still vulnerable •  Very difficult to replace/patch in-service devices •  Stuxnet: game changer, sets the new bar - even when sophisticated attacks aren’t necessary •  Organized crime will top Nation States and Non- Government Organizations (NGOs) as biggest threat •  Welcome to the cyberarms race The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   28  
  • 30. Cybersecurity Vocabulary •  Network •  Virus/Trojan/Malware •  Connectivity •  Firmware •  Packet •  Denial of Service •  Header •  NIST •  Traffic •  NERC CIP •  Bandwidth •  SCADA •  Latency •  Encryption •  Internet Protocol •  Credential The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   29  
  • 31. Information Technology 101 •  Connectivity: how the systems talk to each other –  Hub “dumb”   –  Switch Device  Intelligence   –  Managed Switch –  Router –  Firewall –  Next Generation Firewall –  Workstation/Server “smart”   •  What are we building for? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   30  
  • 32. Three Flavors Business  Systems   Control  Systems   “Smart  Grid”   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   31  
  • 33. Business IT Security •  Typical approach: password, firewall, anti-virus, etc •  Protecting four key domains 1. Confidentiality – preventing unauthorized access to information 2. Integrity – preventing the unauthorized modification or theft of information 3. Availability – preventing the denial of service and ensuring authorized access to information 4. Non-Repudiation – preventing the denial of an action that took place or the claim of an action that did not take place The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   32  
  • 34. What Is A Control System? Human Machine Interface L1 START L2 STOP M M O.L. M S Control Programmable M R Valve Logic Basic Motor Control Controllers Ladder Logic I/O Remote Comms Master Meters PLC Protocols SCADA Sensors IED Wired Server Field RTU Wireless HMI Devices Controller EMS DCS The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   33  
  • 35. IT vs ICS Security TOPIC   Informa5on  Technology   Industrial  Control  Systems   AnA-­‐Virus/Mobile  Code   Common,  widely  used   Uncommon,  impossible   Typical  Lifespan   3-­‐5  years   15-­‐20  years   Outsourcing   Common,  widely  used   Rare,  uncommon   Patch  Management   Regular,  scheduled   Slow,  vendor-­‐specific   Change  Management   Regular,  scheduled   Uncommon   Time  CriAcal  Content   Generally  delays  accepted   CriAcal  due  to  safety   Availability   Generally  delays  accepted     24  x  7  x  365  x  forever   Security  Awareness   Good   Poor,  except  physical   Security  TesAng/Audit   Scheduled,  mandated   Occasional,  uncommon   Physical  Security   Secure   Remote  and  unmanned   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   34  
  • 36. Typical Architecture Firewall   SCADA  and   Internet   other  field   devices     Corporate  Network   Process   Control   Network   The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   35  
  • 37. Smart Grid Complications The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   36  
  • 38. Smart Grid Complications The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   37  
  • 39. What Have You Seen? •  Did cyber security appear in your filings and hearings? •  How did this fit in your list of priorities? •  What elements were most important? –  Privacy? –  Reliability? –  Cost? –  Security Effectiveness? –  Upgradeability as a solution or vulnerability? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   38  
  • 40. Threat Sources •  Inadvertent errors •  Power system equipment malfunctions •  Communication equipment failure •  Deliberate malicious acts The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   39  
  • 41. Threat Types •  Replay attacks •  Indiscretions (leaks) by personnel •  Brute force •  Bypass controls •  Man-in-the-Middle •  Denial of Service •  Resource Exhaustion The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   40  
  • 42. Nothing New Under The Sun •  Mature security practices; highly refined –  Defense in Depth –  Principle of Least Privilege –  Segregation of Duties –  Need to Know –  Confidentiality, Integrity, Availability •  No Silver Bullet, 100%, Total Security •  Strong protection has never been easy, inexpensive or quick to implement •  Tradeoff between functionality and security The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   41  
  • 43. Strategies for Defense In Depth •  Governance, policy •  Authentication •  Authorization •  Admission control •  Encryption •  Integrity checking •  Auditing, detection The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   42  
  • 44. Defense In Depth: Example •  NERC CIP Standards –  CIP-002 – Critical Cyber Asset Identification –  CIP-003 – Security Management Controls –  CIP-004 – Personnel & Training –  CIP-005 – Electronic Security Perimeter(s) –  CIP-006 – Physical Security –  CIP-007 – Systems Security Management –  CIP-008 – Incident Reporting & Response Planning –  CIP-009 – Recovery Plans for Critical Cyber Assets The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   43  
  • 45. Proven Security Solutions •  Physical Protection •  Network Controls: Admission, Segmentation •  Strong ID, Authentication and Authorization •  Aware Person System (Training and Awareness) •  Intrusion Detection/Prevention •  Integrity Assurance •  Application Whitelisting •  Response and Recovery The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   44  
  • 46. You Don’t Need a Perfect Defense •  If defensive measures can be beaten, does the system ensure the results of the attack are : –  Unprofitable –  Limited in its ramifications –  Hard enough to make the “juice” not worth the “squeeze” –  Difficult to replicate –  Quickly and easily recoverable –  Traceable and easy to detect; and –  Otherwise unappealing The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   45  
  • 47. NARUC Why Your Role Is Increasing l  Increased attacks to business processes l  NERC CIP compliance l  The deployment of smart grid l  These are increasingly drivers for cost recovery consideration and other contexts in cases that are coming your way very soon l  Is that reflected in what you’re seeing / hearing?
  • 48. Proposal: Roles for Public Utility Commissions 1.  Ask the right questions when considering cost recovery of prudent utility expenditures for cyber NARUC security. 2.  Assuring that cyber security requirements that utilities are subject to are being met. §  PUC Staff need to be up-to-date on cyber security requirements and potential threats. 3.  Assuring that the PUC’s computer systems and operations are subject to on-going cyber security reviews and remediation, and that disaster recovery plans are in place and tested. §  This also included cyber security awareness for agency employees. 4.  Understand and participate in regional and national efforts for protecting critical infrastructure
  • 49. Cybersecurity Investments: What To Ask l  Worth saying twice: someone at the PUC staff needs to be up-to- date on cyber security requirements and potential threats. NARUC l  Ask how security is addressed (conceptually) for each component l  Don’t accept assurances that all products used were built to be secure, or that IT solutions will work for SCADA systems. Insist that vendors document & independently verify their security controls l  Use compliance as a floor, not a ceiling: Ask to see risk assessment documentation l  Ensure security is budgeted for and individuals are assigned responsibility l  Ensure service providers (for example, telcos, meter data processors) are included in risk assessment and provide sufficient information l  Ensure integrated security between business systems and control systems for existing grid and for smart grid 48
  • 50. NARUC Three examples of State action l Pennsylvania l Missouri l New York l PUCs don’t need to become cyber experts or enforces, but if you ask a utility a question they will return with an answer
  • 51. Cybersecurity Requirements and Resources •  For the Bulk Power System: –  The North American Electric Reliability Corporation -- Standards CIP-002 through CIP-009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection standards) –  http://www.nerc.com/page.php?cid=2|20 •  For the Smart Grid: –  The National Institute of Standards and Technology (NIST) smart grid interoperability standards and specifications for inclusion in the Smart Grid Interoperability Standards Framework, Release 1.0. These include three volumes on cyber security –  http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628 •  What’s Missing? –  Distribution systems, serial control systems, and other gaps The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   50  
  • 52. Smart Grid Investment Grant Program •  Requires a description of how cyber security concerns will be addressed with respect to the use of best available equipment and the application of procedures and practices involving system design, testing, deployment, operations and decommissioning, including at a minimum: i.  A description of the cyber security risks at each stage of the system deployment lifecycle, ii.  Cyber security criteria used for vendor and device selection, iii.  Cyber security control strategies, iv.  Descriptions of residual cyber security risks, v.  Relevant cyber security standards and best practices, and vi.  Descriptions of how the project will support/adopt/implement emerging smart grid security standards Source: Notice of Intent to Issue a Funding Opportunity Announcement For the Smart Grid Investment Grant Program, April 16, 2009 The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   51  
  • 53. Is Smart Grid More Vulnerable? Source: “San Diego Smart Grid Study”, October 2006 Power outages cost between $80 billion and $150 billion every year The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   52  
  • 54. Energy Independence and Security Act o  In the Energy Independence and Security Act (EISA) of 2007, Congress established the development of a Smart Grid as a national policy goal. o  Under EISA, NIST is directed to “coordinate the development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems” as well as maintain the reliability and security of the electricity infrastructure. 53
  • 55. Conceptual Reference Diagram for Smart Grid Information Networks 54
  • 56. Interoperability Framework Testing and Certification Standards Security Architecture and Requirements Conceptual Reference Model Business and Public Policy Requirements 55
  • 57. NIST Three Phase Plan PHASE 1 PHASE 2 Identify an initial set of Establish public/private existing consensus Standards Panel to provide standards and develop ongoing recommendations for a roadmap to fill gaps new/revised standards PHASE 3 Testing and Certification Framework 2009 2010 56 56
  • 58. Smart Grid – an Opportunity o  Modernization provides an opportunity to improve security of the Grid o  Integration of new IT and networking technologies n  Brings new risks as well as an array of security standards, processes, and tools o  Architecture is key n  Security must be designed in – it cannot be added on later 57
  • 59. CSWG o  To address the cross-cutting issue of cyber security, NIST established the Cyber Security Coordination Task Group (CSCTG) in March 2009 o  Moved under the NIST Smart Grid Interoperability Panel (SGIP) as a standing working group and was renamed the Cyber Security Working Group (SGIP–CSWG) o  The CSWG now has more than 475 participants from the private sector (including vendors and service providers), academia, regulatory organizations, national research laboratories, and federal agencies 58
  • 60. Guidelines for Smart Grid Cyber Security o  NIST Interagency Report 7628 - Augut 2010 n  Development of the document lead by NIST n  Represents significant coordination among o Federal agencies o Private sector o Regulators o Academics n  Document includes material that will be used in selecting and modifying security requirements 59
  • 61. NISTIR 7628 – What it IS and IS NOT What it IS o  A tool for organizations that are researching, designing, developing, and implementing Smart Grid technologies o  May be used as a guideline to evaluate the overall cyber risks to a Smart Grid system during the design phase and during system implementation and maintenance o  Guidance for organizations n  Each organization must develop its own cyber security strategy (including a risk assessment methodology) for the Smart Grid. What it IS NOT o  It does not prescribe particular solutions o  It is not mandatory 60
  • 62. Smart Grid Cyber Security Strategy - Tasks 64(7$2(.*$2( 8&*9:$#$ B<?C+<D&(*&*9:$#$ -#&%2,C3<=?<&2&%E( +<=*#&5 P4(N#$Q(8$$2$$=2&% ! /+2&%#J:(*$$2%$ ! R>9&2,*A#9#%#2$ ! BH,2*%$ ! /=?*3%$ ;<%%<=(>?(*&*9:$#$ -@>9&2,*A#9#%:( 0,#@*3:( 39*$$2$5 8$$2$$=2&% K4(L#'H(M2@29( )23>,#%:( N2O>#,2=2&%$ !"#$%#&'( FA4()=*,%(G,#+( F*4()23>,#%:( )%*&+*,+$ )%*&+*,+$( 8,3H#%23%>,2 -./01(/!!!1( 8$$2$$=2&% /!.1(2%345 I4(.<&J<,=#%: 8$$2$$=2&% 61
  • 63. NISTIR 7628 Content The NISTIR includes the following o  Executive Summary o  Chapter 1 - Overall cyber security strategy for the Smart Grid o  Chapter 2 – High level and logical security architecture o  Chapter 3 – High level security requirements o  Chapter 4 – Cryptography and key management 62
  • 64. NISTIR 7628 Content (2) o  Chapter 5 - Privacy and the Smart Grid o  Chapter 6 – Vulnerability Classes o  Chapter 7 – Bottom-up security analysis of the Smart Grid o  Chapter 8 - R&D themes for cyber security in the Smart Grid o  Chapter 9 – Overview of the standards review 63
  • 65. NISTIR 7628 Content (3) o  Chapter 10 – Key power system use cases for security requirements o  Appendices A - J 64
  • 66. How to Participate in CSWG o  NIST Smart Grid portal http://nist.gov/ smartgrid o  Cyber Security Working Group n  Lead: Marianne Swanson (marianne.swanson@nist.gov) n  NIST Support: Tanya Brewer (tanya.brewer@nist.gov) o  Cyber Security Twiki site o  http://collaborate.nist.gov/twiki-sggrid/bin/view/ SmartGrid/CyberSecurityCTG 65
  • 67. Security of PUC’s computer systems This may be the responsibility of another state agency or NARUC office, but the implication of a failure will impact the business operation of the Commission l Assuring that the computer systems that the PUC relies have on-going cyber security reviews and remediation of identified vulnerabilities. l Disaster recovery plans are in place and tested and Continuity of Operation Plans have been developed. l Cyber security awareness for agency employees including social engineering and insider threats.
  • 68. Continuity of Operation Plans (COOP) l  Internal contingency plans of government and business to assure the rapid resumption of essential NARUC functions as soon as possible if they are disrupted for any reason: e.g., fire, tornado, hurricanes, wildfires, earthquakes, terrorism, pandemics, etc. – Build Self- reliance and Resiliency l  Helps assure that critical/essential functions can quickly resume operations l  Addresses key or essential employees, required facilities, computer system records and back-up data systems, etc. l  Minimize damage & losses l  Management succession & emergency powers
  • 69. On what cyber systems do you rely? l  What IT systems support critical PUC NARUC functions? l  What are the backed up systems? l  What systems are needed to support restoration? l  What systems are needed operationally? l  In what sequence should systems be restored? l  What are the telecommunication needs and requirements? Hourly Loss from Downtime in the Information Technology Sector: $1.3 million/hr
  • 70. NARUC What if this happened?
  • 71. NARUC Employee Education http://www.michigan.gov/cybersecurity
  • 72. Resilience Factors •  Robustness –  The ability to operate or stay standing in the face of disaster •  Resourcefulness –  skillfully managing a disaster once it unfolds •  Rapid Recovery –  The capacity to get things back to normal as quickly as possible after a disaster •  Learning lessons –  Having the means to absorb the new lessons that can be drawn from a catastrophe The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   71  
  • 73. Resilience Considerations •  Resilience depends on humans –  Human networks are key –  Ability to work together and individually –  Potential for panic or confusion –  Build necessary connections (relationships) in advance •  In the event of an electric power sector cyberattack, do you know: –  Your role? If not, whose role it is to act? –  Who to call? What they can /should do? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   72  
  • 74. Protecting The Right Stuff •  Very little security actuarial data vs. engineering actuarial data •  Most organizations don t communicate details of security breaches •  Most estimates are based on FUD (Fear, Uncertainty and Doubt) •  Need better/current data on: –  What is being attacked? (most preferred targets) –  Which attacks were successful? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   73  
  • 75. Product/Service Problem(s) •  Utilities are married to their products [and vendors] for many years •  Most products are very expensive to replace or upgrade and challenging to coordinate •  Product vendors are trying to balance security and profit; guess which one wins… •  Some vendors are responsive, most are not •  SCADA Procurement Language can help, but only for new purchases The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   74  
  • 76. What Can State Regulators Do? •  Get educated (even more than today) •  Strategic communication, in all directions •  Build new relationships and reshape old •  Support measures to get actuarial data •  Support secure procurement measures •  Support security training/education •  Support appropriate staffing levels •  Rethink the rate case approach The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   75  
  • 77. What Can State Regulators Do? •  Ask questions… –  Are you using the SCADA Procurement Language? –  Are you participating in local, state, regional, national security/disaster exercises? –  What security training/education/awareness are you providing to your staff and how often? –  Where do you get your situational awareness data? –  What cybersecurity technologies do you use? –  Have you performed a full [exhaustive] inventory of all control systems and all associated communication links? The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   76  
  • 78. Education and Training •  What is happening in Operations, Federal, States? •  OpSec, Red-Blue, Security Body of Knowledge, security concepts •  Security practices change rapidly –  Need for training on new tactics and new technology is perpetual •  Lack of education leads to a false sense of security –  Otherwise known as knowing just enough to be dangerous The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   77  
  • 79. Communication •  Ratepayers want a secure grid, until they see the bill –  Expect rate shock –  Rates could triple or more, for some infrastructures •  Common Practice vs. Best Practice •  Early and regular, fact-based communication can minimize negative public reaction •  Remind ratepayers that smart, informed decisions are being made The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   78  
  • 80. Communication •  Keep the story fresh; lather, rinse, repeat •  Leverage existing Safety communication vehicles/ mechanisms –  Newsletters –  Mailers, billing notices –  Public service announcments –  Sponsored events •  Partner with utilities, Federal agencies and even Media to convey a unified message The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   79  
  • 81. Relationships •  Get out and talk to your operators •  Get to know the industry thought leaders •  What are your peers doing? •  Situational Awareness –  NESCO, VirtualUSA, Einstein, Fusion centers, Infragard… •  Take a partnership approach to the rate case (vs. adversarial) as much as possible The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   80  
  • 82. Closing Thoughts •  Cybersecurity is worth taking seriously, but will have to fit into a long list of concerns and priorities •  There are few response networks for utility sector cybersecurity among State Governments •  Few of those evaluating cybersecurity investments understand cybersecurity •  An unskilled operator of any power tool will hurt themselves and those around them –  Training and staffing are imperative •  A culture shift is the first ingredient for success •  Soft-skills may matter more than technical skills The  Na'onal  Electric  Sector  Cybersecurity  Organiza'on   (NESCO)  is  a  DOE-­‐funded  EnergySec  Program   81  
  • 83. Questions? Patrick C Miller, NARUC President and CEO, EnergySec Principal Investigator, NESCO patrick@energysec.org 503-446-1212 Miles Keogh, NARUC Director of Grants & Research mkeogh@naruc.org 202-898-2217 Bill Hunteman, Chief Cyber Security Advisor US Department of Energy Office of Electricity Deliver & Energy Reliability William.hunteman@doe.gov