How to Remove Document Management Hurdles with X-Docs?
Combating Apathy, Fatigue and Misdirection at EnergySec Summit
1. Call to Arms: Combating Apathy,
Fatigue and Misdirection
8th Annual EnergySec Summit
World Trade Center
Portland, OR
September 25 2012
2. Threat Picture
Intelligent, adaptive
adversaries exist. They
don’t follow the rules or
compliance checklists.
They have people,
money and time.
But… They sky isn’t
falling.
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 2"
3. Technology Picture
! Emergent intelligence
! A new digital world order
! Hyper-connectivity
! Hyper-embeddedness
! Hyper-temporality
! Vulnerabilities abound
! Bolt-ons are imperfect & complex
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 3"
4. Cybersecurity Picture
! Research, espionage, organized
crime, cyber/info warfare
! Data is money
! Nation state quality defense is
the new norm
! Isolation is extremely difficult
! Cyber-kinetic impacts
! Engineering vs. Security
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 4"
5. Small Is The New Big
! Cyber attacks don’t care about
distance or size
! It’s all about connectivity
! Hacker’s are typically lazy,
except when they’re not
! Attribution and obfuscation
! Stepping stones
6. Legislative/Regulatory Picture
! Hyperbole, FUD and politics
! Fear the auditor more than attacker
! “Comprehensive”
! Smart Grid security/interoperability
! Data breach disclosure
! Intelligent islanding
! Federal turf wars over critical
infrastructure cybersecurity
! Regulatory landscape shift
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 6"
7. Regulation vs. Attitude
! Regulation is easy, until it isn’t
– Toaster to turbine
– Party politics
– Fed vs Fed, Fed vs State vs Local…
– Overlap, cost and fatigue
! Adversaries will always innovate faster
than legislative process
! You can prescribe action, but not
attitude
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 7"
8. Cybersecurity Law
! Posse Comitatus Act, 18 U.S.C. §1385
! Antitrust Laws
! Sherman Antitrus Act, 15 U.S.C. §§1-7
! Wilson Tariff Act 15, U.S.C. §§8-11
! Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §§12-27
! Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §45(a)
! National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. §271
! Radio Act of 1912
! Federal Power Act (p. 13), 16 U.S.C. §791a et seq., §824 et seq.
! Radio Act of 1927
! Communications Act of 1934 (p.14), 47 U.S.C. §151 et seq.
! National Security Act of 1947 (p. 15), 50 U.S.C. §401 et seq.
! US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. §1431 et seq.
! Defense Production Act of 1950, 50 U.S.C. App. §2061 et seq.
! State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. §2651a
! Brooks Automatic Data Processing Act
! Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. §552
! Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, §§3701 to 3797ee-1
! Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, §§1961-1968
! Federal Advisory Committee Act (p. 20), 5 U.S.C. App., §§1-16
! War Powers Resolution, 50 U.S.C. Chapter 33, §§1541-1548.
! Privacy Act of 1974 (p. 20), 5 U.S.C. §552a
! Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. §§2511, 2518-9,
! Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, §§1801-1885c
! Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, §§2000aa-5 to 2000aa-12
! Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. §1030
! Computer Fraud and Abuse Act of 1986, 18 U.S.C. §1030
! Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. §§2510- 2522, 2701-2712, 3121-3126
! Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. §167
! Computer Security Act of 1987, 15 U.S.C. §§272, 278g-3, 278g-4, 278h
! Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a
! High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81
! Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. §1001 et seq.
! Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 8"
9. Cybersecurity Law
! Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35, §§3501-3549
! Telecommunications Act of 1996, 47 U.S.C. §609
! Communications Decency Act of 1996 (p. 27), 47 U.S.C. §§223, 230
! Clinger-Cohen Act (Information Technology Management Reform Act) of 1996) (p. 28), 40 U.S.C. §11001 et seq.
! Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d et seq.
! Economic Espionage Act of 1996, 18 U.S.C. §1030, Chapter 90, §§1831-1839
! Identity Theft and Assumption Deterrence Act of 1998 (p. 29), 18 U.S.C. §1028
! National Defense Authorization Act for Fiscal Year 200, 10 U.S.C. §2224
! Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Chapter 94, §§6801-6827
! USA PATRIOT Act of 2001, 18 U.S.C. §1
! Sarbanes-Oxley Act of 2002, 15 U.S.C. §7262
! Homeland Security Act of 2002 (HSA) (p. 30), 6 U.S.C. §§121-195c, 441-444, and 481-486
! Federal Information Security Management Act of 2002 (FISMA) (p. 32), 44 U. S. C. Chapter 35, Subchapters II and III, 40 U.S.C. 11331, 15 U.S.C. 278g-3 & 4
! Terrorism Risk Insurance Act of 2002 (p. 34), 15 U.S.C. §6701 nt.
! Cyber Security Research and Development Act, 2002 (p. 34), 15 U.S.C. §§278g, h, 7401 et seq.
! E-Government Act of 2002 (p. 36), 5 U.S.C. Chapter 37, 44 U.S.C. §3501 nt.., Chapter 35, Subchapter 2, and Chapter 36
! Fair and Accurate Credit T ransactions Act of 2003, 15 U.S.C. §1601
! Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, 15 U.S.C. Chapter 103, §§7701-7713, 18 U.S.C. 1037
! Identity Theft Penalty Enhancement Act 2004 (p. 37), 18 U.S.C. §§1028, 1028A
! Intelligence Reform and Terrorism Prevention Act of 2004 (IRPTA) (p. 38), 42 U.S. C. §2000ee, 50 U.S.C. §403-1 et seq. , §403-3 et seq. , §404o et. seq.
! Energy Policy Act of 2005 (EPACT), 16 U.S.C. 824o
! Department of Homeland Security Appropriations Act, 2007, 6 U.S.C. §121 nt.
! Protect America Act of 2007, 50 U.S.C. §1801 nt.
! Energy Independence and Security Act of 2007 (EISA), 42 U.S.C. §§17381- 17385
! Foreign Intelligence Surveillance Act of 1978 [FISA] Amendments Act of 2008, 50 U.S.C. §1801
! Identity Theft Enforcement and Restitution Act of 2008, 18 U.S.C. §1030
! Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. §17901 et seq.
! Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011
“…security is an art – and you cannot legislate art.”
Comment by Deputy Assistant Director, US DOE
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 9"
10. Do The Right Thing
! “Why don’t they just do the right thing?”
– Comment by House Homeland Security Committee
staffer, 2009
! Dozens of Congressional hearings
! Roughly 150 bills since 2009
! Executive Order being considered
! No closer to defining what the “right thing” is
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 10"
11. Compliance vs. Security
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 11"
12. Compliance vs. Security
! “I had a nightmare last night. My entire security
team had been converted to compliance staff!”
– Comment by former security manager for large U.S.
investor owned utility
! Culture of compliance may not be a good thing
! Compliance can both help and hurt security
! There is a point where security and compliance
meet – it isn’t always easy to find but it is the best
approach toward spending/resourcing
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 12"
13. Sector Spotlight
! Electric sector (SCADA) = new shiny object
! TV, movies, media, blogosphere, Twitter
! Armchair experts and hyperbole
! Other critical infrastructures, nation states
! Smart Grid fever will drive more attention
! The mania will intensify in the near term
! Very little actuarial data to form risk models
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 13"
14. Resources Are Scarce
! Not enough qualified security pros available
! Very complex range of skills needed to match
operational technologies, security tools and
business (compliance) risk
! Active “cannibalization” of talent within sector
! Few qualified auditors and consultants
! Artificial demand in market increases costs
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 14"
15. Vendor Relationships
! Most vendors put features first, security second
! ARRA and other “green/clean” dollars are
fueling corporate consumerism
! You are being given old technology as new and
new technology that hasn’t been tested
! Interoperability standards, SCADA Procurement
Language, code reviews, etc
! 100% secure does not and will not exist
! Security testing in FAT, and again in SAT
! Vulnerability disclosure ripple effect
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 15"
16. Negative Perceptions
! Too many cases of lowering security to achieve
strict compliance to NERC CIP standards – while
possibly [potentially] reducing reliability
! Too few Critical Assets and Critical Cyber Assets
! CIPS is more about accountability than security
! Future changes to CIPS are slow and inadequate
! Virtually no change in over 6 years
! Industry is actively trying to minimize and stall
! CIP Version 5 has one more “round” - or else…
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 16"
17. Regulation Will Get Muddy
! Accountability baseline still forming
! Consensus is not possible; ANSI flaws
! Region/NERC/FERC relationship is unstable
! Data breach laws are coming
! Overlapping regulations (SOX, PCI, CFATS,
MTSA, Pipeline Safety, NRC…)
! Heavy politics attached to grid security
! Who’s got the cybersecurity authority today?
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 17"
18. Recommendations
! Realize that you are a target; act accordingly
! Prepare for the spotlight and microscope
! Build a compliance program that can
embrace any regulatory regime – even DHS
(think TSA)
! CIPS is only the beginning, expect more
! Don’t wait for the next regulation to get
started implementing controls
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 18"
19. Recommendations
! Start with an evaluation of risk and capability
! Adopt a risk management framework
! Automate compliance from sound business
process, but don’t under-resource
– Security technology requires humans
! Consider continuous monitoring approach
! Manage like other risks in portfolio
! Communication is key; customers,
stakeholders
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 19"
20. EnergySec Needs You
! Volunteer programs
– Tactical Analysis Center
– Best Practices Repository
– Community-driven efforts (Working
Groups, task force, whitepapers, etc)
! Financial support
– NESCO must be sustained by industry
– TAC subscriptions
– Organizational or individual membership
– Donations/sponsorships
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 20"
21. Break The Mold
“You cannot solve a problem from the same
consciousness that created it. You must learn
to see the world anew.”
- Albert Einstein
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 21"
22. Questions
Patrick C Miller
President & CEO
patrick.miller@energysec.org
503.272.1414)
@patrickcmiller (twitter)
www.energysec.org
The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$
9/26/12"
with$funding$assistance$from$the$U.S.$Department$of$Energy$ 22"