EnergySec, profile picture
Uploaded byEnergySec
1,223 views

Cybersecurity for Energy: Moving Beyond Compliance

The document discusses the evolving cybersecurity threats faced by the energy sector and the importance of moving beyond mere compliance to a strategic risk management approach. It emphasizes the need for effective governance, budgeting tied to business risks, and the integration of security measures across organizational boundaries. Additionally, it highlights the significance of preparing for and responding to malicious attacks while ensuring the protection of critical infrastructure and services.

Downloaded 55 times
NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY © SAIC. All rights reserved. Cybersecurity for Energy: Moving Beyond Compliance
SAIC.com © SAIC. All rights reserved. The Threats Keep Coming…. 2 •  1998: Telephone switch hack closes an airport •  2000: Gazprom central control is hacked •  2000: Australian hacker causes environmental harm by releasing sewage •  2001: Hackers protesting U.S./China conflict enter U.S. electric power systems •  2003: Power outages in northeastern United States occur •  2003: Worm shuts systems down at Davis-Besse nuclear plant •  2006: Zotob virus shuts down Holden car manufacturing plant (Australia) •  2007: Aurora demonstration shows damage a remote hacker can cause physical harm to a generator •  2008: Intruder installed malware causing damage to Sacramento River diverter •  2010: Stuxnet discovered •  2012: Saudi Aramco targeted by Shamoon virus wiping out 30,000 hard drives
SAIC.com © SAIC. All rights reserved. ….And Our Defenses Struggle to Keep Up Threat Briefing: Escalating Security Threats 3 •  Attackers prefer lower-tech attack methods if they work •  Attacks are tailored to the defenses they need to breach •  As defenses improve, attacks will escalate to breach them, then step back down •  Improve defenses in one area and attackers move to other areas that are weaker Attacks Defenses Phishing Spear Phishing Published Vulnerabilities: (Browser, App, OS) Web Attacks: (SQL Inject; Cross-Site Script) Credential Harvesting & Abuse: (Keylogger, Pass-the-Hash) 2 factor Compromise: (Session hijack, OTP capture, Cert theft) Break Weak Crypto / Password Zero Day: (Browser, App, OS) Driver / BIOS / Hardware: (Vulnerability, Zero-Day) Hypervisor Breach: (Vulnerability, Zero-Day) Break Strong Cryptography Firewall Anti-Virus Patching Network IDS Host Firewall, Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) Network Segmentation Physical Isolation Hardened operating system Data Protection / Encryption Secure Coding Access Control App Whitelisting App Hardening High Assurance hardware 2-Factor Authentication Log Consolidation In-Memory Malware Detection Increasing Difficulty APT Hackers Hacktivists Viruses Network Breach: (Firewall, Switch, Router) BIOS = Binary Input Output System APT = Advanced Persistent Threat OS = Operating System OTP = One-time Password Cert = Certificate
SAIC.com © SAIC. All rights reserved. Cybersecurity is Becoming a Board-level Issue Reuters, October 13, 2011 National Association of Corporate Directors
SAIC.com © SAIC. All rights reserved. Turning Cybersecurity Risk Into a Business Risk •  Nuisance Example: Isolated malware infections –  Typically occur at rate of 6% of computers per year –  One oil company estimated cost at $4000 per machine (including productivity losses) 5 •  Slightly Less of a Nuisance: Customer Data Breach Losses –  Ponemon Institute estimated at $194 per record (most of cost is future lost business) –  TJX saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems had 130 million credit card numbers breached in 2009 –  For most customer data breaches, however, the relevant costs are minor as harms are hard to prove and the reputational damage is short-lived •  For utilities, greatest threats through cybersecurity attack are on ability to operate –  Maintaining stability of transmission and distribution grids (preventing widespread outages) –  Keeping hard to replace equipment from being damaged or destroyed (Aurora) –  Protecting human lives (fires, electrocutions, explosions, radiation) –  Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access to bank accounts to pay suppliers) –  Ability to generate and coordinate (independent system operator functions, automated generation control)
SAIC.com © SAIC. All rights reserved. What About These “Cyber” Risks? “Examples of true incidents that have been labelled cyber security breaches are as follows: –  a mis-sent email (a strategy document sent to a competitor); –  commercial papers lost on a train; –  a former employee that was not legally prevented from taking bid information to a competitor; –  a laptop left on a plane with passwords attached; and careless use of social media giving away IPR, –  and more frequently, because it's cheaper, the use of social engineering ("new best friends" who buy you drinks all night at the bar, fascinated by your company).” Andrew Fitzmaurice, The Guardian, July 25, 2013 http://www.guardian.co.uk/media-network/media-network-blog/2013/jul/25/cyber-security-board-level-information-technology 6
SAIC.com © SAIC. All rights reserved. Organizing Around Business Risk •  The Banking Experience (Basel II/III) –  Organizes risk around categories that can be measured and contribute to organization’s overall risk posture that influence capital requirements 7 Influence on Capital Requirements Market Risk Credit Risk Liquidity Risk Operational Risk Operational Risk Components Legal Human Resources Physical Security/ Facilities Procurement IT (Performance, Security, Capacity) IT – Information Technology
SAIC.com © SAIC. All rights reserved. Business Risk for Utilities 8 •  Align by function/business area –  Harder to tie in financial metrics that benefit from lower risk (bond ratings?) Utility Business Risks T&D Reliability Energy Trading Key Equipment Protection Human Safety Operational Risk Operational Risk Cash Flow Compliance Human Resources Facilities IT (Performance, Security, Capacity) T&D – Transmission & Distribution IT- Information Technology
SAIC.com © SAIC. All rights reserved. Governance Model 9 •  Who does cybersecurity organization report to? –  In many, it’s the Chief Information Officer –  Can reporting reach executive and board level stakeholders? –  Do policies regularly get the backing of the CEO? •  Budget –  Is the cybersecurity budget tied to major initiatives (transmission expansion, safety initiatives, new substations)? –  Is there a relationship between cybersecurity risk and other major risks? •  As new meters, sensors, and relays are added, is cybersecurity risk adjusted along with its budget? •  Are improvements in grid reliability correlated with improvement in cybersecurity? –  Are cybersecurity budget line items evaluated for how they help reduce major business risks or even other operational risks?
SAIC.com © SAIC. All rights reserved. Moving from a Tactical to Risk Management Mindset 10 •  What gets reported? –  Malware infections vs. business disruptions –  Data breaches/lost laptops vs. value at risk –  Attacks blocked vs. threats averted •  How are resources allocated for cybersecurity? Tactical •  Firewall management •  Log management •  Authentication •  Endpoint security •  Server security Risk Management •  T&D grid stability •  Customer data protection •  Energy trading integrity •  Key asset protection •  Health and safety T&D – Transmission & Distribution
SAIC.com © SAIC. All rights reserved. From Resistance to Resiliency and Recovery 11 •  Do you know what your response will be if… –  You cannot trust the data coming from your substations –  Customer billing data has been corrupted –  Hackers have brought down your Energy Management System, and you’re not sure if all malware has been removed –  A smart meter firmware update that was just applied contains malicious code that shuts off power and then ceases communication? •  Most utilities run disaster recovery and business continuity drills but usually focus on natural events and not malicious and sentient actors •  While prevention and detection are necessary, successful programs assume response and recovery will be required and plan accordingly
SAIC.com © SAIC. All rights reserved. Where to Start 12 •  How can you tell how good a job you are doing? –  Mapping to business risks helps to speak to the board but day to day challenges still require a comprehensive approach –  Frameworks can help if used in the context of business risk •  NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443* •  Need maturity models and means of comparison with peers Electricity Subsector Cybersecurity Capability Maturity Model US Department of Energy Maturity Indicator Levels (MIL): MIL1: Initiated MIL2: Performed MIL3: Managed *See last slide for acronyms
SAIC.com © SAIC. All rights reserved. Managing IT Security Capabilities 13 # Functional Area Architect Design Deploy Support Retire Maintain Operate 1 Security Infrastructure Management X X X X X X X 2 Network Admin & Security X X X X X X X 3 Application Security X X X X X X X 4 Endpoint & Server Security X X X X X X X 5 Cryptography & Data Protection X X X X X X X 6 Identity Management & Authentication X X X X X X X 7 Asset Management & Supply Chain X X X X X X X 8 Monitoring & Vulnerability Management X X X X X X X 9 Incident Response X X X X X X X 10 Policy & Audit & E-Discovery & Training X X X X X X X •  Need to apply controls from a lifecycle and functional perspective such as Integrated Strategy & Architecture, Integrated Operations, and Engineering services in each of Ten Functional Areas as indicated below. Strategy & Architecture OperationsEngineering
SAIC.com © SAIC. All rights reserved. Along with Some Control System Considerations 14 Bridging the Information Technology (IT) / Operations Technology (OT) divide will be critical to successful program as the threats hit IT first, but the biggest impact is felt on the OT side.
SAIC.com © SAIC. All rights reserved. Integrating the Data 15 •  Frameworks operate at 10,000 feet, threats at ground level –  Need automated mechanisms to report current state –  In government, we often use the term “continuous monitoring;” commercially it’s often “enterprise vulnerability management” –  Also need to ensure mandated controls stay current with threats Operations/Engineering Physical Security IT-Telecom/Cybersecurity Roles- based Correlation
SAIC.com © SAIC. All rights reserved. Putting It All Together 16 Strategy & Risk Management –  Assessing and Reporting –  Mapping security controls to acceptable risk posture –  Making sure cybersecurity risks are associated with business risks Security Operations –  Monitoring systems and networks for attacks –  Continuously monitoring for vulnerabilities and policy violations –  Aggressively seeking out threat intelligence –  Responding to incidents and assisting with the recovery Security Engineering –  Researching new protection techniques –  Designing, deploying, and supporting new security tools and technologies –  Aligning security tools, techniques, and technologies with organization’s culture and business drivers Governance & Oversight
SAIC.com © SAIC. All rights reserved. Budgets: How Much Security is Enough? 17 •  The industry norms –  Cybersecurity budgets in all industries tend to range from 3 to 10% of information technology budget –  For utilities, that number is closer to 3-5% –  IT budgets vary considerably by industry given different ways revenue is generated –  For many, 2-5% of revenue is typical for an IT budget –  For energy companies, operations technology (such as control systems) may be additional •  Criteria for additional expenditures –  Regulatory compliance (as much as 50% of security budget) –  Requirements to meet business continuity objectives –  Desire to meet industry best practices (such as encryption of all removable storage) –  Changing threat landscape –  Easily exploitable vulnerabilities –  Achieving acceptable risk posture (most subjective & hardest to substantiate)
SAIC.com © SAIC. All rights reserved. Example: Incorporating New Threats 18 •  Stuxnet –  Highly targeted and advanced attack on an Iranian nuclear power plant –  Included several “zero day” exploits (malicious software targeting vulnerabilities that had not been publicly known –  Likely introduced into “air-gapped” environment through flash drive Updating security policy and related controls Removable Media Practices “Out of band” monitoring Application Whitelisting Obtain buy-in from senior management Tie changes to key business objectives (such as key asset protection) Update budget Update policies & train employees Deploy software Integrate technology
SAIC.com © SAIC. All rights reserved. 19 In Summary Keys for Successful Security Program Compliance Through Lower Risk Crossing Organization Boundaries A Strategic Approach Future Aware Holistic Security Approach
Discussion For more information contact: Gib Sorebo SAIC Vice President /Chief Cybersecurity Technologist phone: 703-676-2605 | email: sorebog@saic.com
SAIC.com © SAIC. All rights reserved. Acronyms 21 NERC – North American Electric Reliability Corporation CIP – Critical Infrastructure Protection NIST SP – National Institute for Standards and Technology Special Publication ISO – International Standards Organization IEC – International Electrotechnical Commission

More Related Content

PDF
Security Program Guidance and Establishing a Culture of Security
byDoug Copley
 
PDF
Dynamic Cyber Defense
byEnergySec
 
PDF
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
byEnergySec
 
PDF
Achieving Compliance Through Security
byEnergySec
 
PDF
Integrating Cyber Security Alerts into the Operator Display
byEnergySec
 
PPTX
Bob West - Educating the Board of Directors
bycentralohioissa
 
PDF
NESCO Town Hall Workforce Development Presentation
byEnergySec
 
PDF
Building Human Intelligence – Pun Intended
byEnergySec
 
Security Program Guidance and Establishing a Culture of Security
byDoug Copley
 
Dynamic Cyber Defense
byEnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
byEnergySec
 
Achieving Compliance Through Security
byEnergySec
 
Integrating Cyber Security Alerts into the Operator Display
byEnergySec
 
Bob West - Educating the Board of Directors
bycentralohioissa
 
NESCO Town Hall Workforce Development Presentation
byEnergySec
 
Building Human Intelligence – Pun Intended
byEnergySec
 

What's hot

PPTX
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
PDF
Strategy considerations for building a security operations center
byCMR WORLD TECH
 
PPTX
The Board and Cyber Security
byFireEye, Inc.
 
PDF
The Measure of Success: Security Metrics to Tell Your Story
byPriyanka Aash
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PPTX
Top 10 tips for effective SOC/NOC collaboration or integration
bySridhar Karnam
 
PPTX
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
byInternational Federation of Accountants
 
PPTX
New CISO - The First 90 Days
byResilient Systems
 
PDF
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
PPTX
Tripwire Energy Working Group Session w/Dale Peterson
byTripwire
 
PDF
Impacts cloud remote_workforce
byRodrigo Varas
 
PPTX
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
byFireEye, Inc.
 
PDF
2014 the future evolution of cybersecurity
byMatthew Rosenquist
 
PPTX
Practical steps for assessing tablet & mobile device security
byEnclaveSecurity
 
PPTX
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
PDF
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
byDevOps Indonesia
 
PPTX
Your cyber security webinar
byEmpired
 
PDF
Key Challenges Facing IT/OT: Hear From The Experts
byTripwire
 
PDF
Ruben Melendez - Economically Justifying IT Security Initiatives
bycentralohioissa
 
PPTX
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
Strategy considerations for building a security operations center
byCMR WORLD TECH
 
The Board and Cyber Security
byFireEye, Inc.
 
The Measure of Success: Security Metrics to Tell Your Story
byPriyanka Aash
 
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
Top 10 tips for effective SOC/NOC collaboration or integration
bySridhar Karnam
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
byInternational Federation of Accountants
 
New CISO - The First 90 Days
byResilient Systems
 
OWASP based Threat Modeling Framework
byChaitanya Bhatt
 
Tripwire Energy Working Group Session w/Dale Peterson
byTripwire
 
Impacts cloud remote_workforce
byRodrigo Varas
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
byFireEye, Inc.
 
2014 the future evolution of cybersecurity
byMatthew Rosenquist
 
Practical steps for assessing tablet & mobile device security
byEnclaveSecurity
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
byDevOps Indonesia
 
Your cyber security webinar
byEmpired
 
Key Challenges Facing IT/OT: Hear From The Experts
byTripwire
 
Ruben Melendez - Economically Justifying IT Security Initiatives
bycentralohioissa
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 

Viewers also liked

PDF
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
byEnergySec
 
PDF
IT4IT - itSMFUK v4 (3)
byTony Price
 
PDF
Rapid Risk Assessment: A New Approach to Risk Management
byEnergySec
 
PDF
Come See What’s Cooking in My Lab
byEnergySec
 
PPTX
Cobit5 owerwiev and implementation proposal
byEmilio Gratton
 
PDF
Structured NERC CIP Process Improvement Using Six Sigma
byEnergySec
 
PDF
6 Tools for Improving IT Operations in ICS Environments
byEnergySec
 
PDF
Implement cobit in your organization
byCheikh Hamallah DJIBA
 
PDF
iDialoghi - ICT Security Consulting
byiDIALOGHI
 
PDF
Security Updates Matter: Exploitation for Beginners
byEnergySec
 
PDF
How I learned to Stop Worrying and Start Loving the Smart Meter
byEnergySec
 
PDF
Energy Industry Organizational Strategies to Increase Cyber Resiliency
byEnergySec
 
PDF
Compromising Industrial Facilities From 40 Miles Away
byEnergySec
 
PDF
Understanding Hacker Tools and Techniques: A live Demonstration
byEnergySec
 
PDF
Building an Incident Response Team
byEnergySec
 
PPTX
Thinking of COBIT implementation – Where to start?
byVyom Labs
 
PPT
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
byenergybiographies
 
PDF
Energy Biographies Final Research report
byenergybiographies
 
PPTX
The grit in the oyster:
byenergybiographies
 
PPTX
Energy biographies: narrative genres, lifecourse transitions and practice change
byenergybiographies
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
byEnergySec
 
IT4IT - itSMFUK v4 (3)
byTony Price
 
Rapid Risk Assessment: A New Approach to Risk Management
byEnergySec
 
Come See What’s Cooking in My Lab
byEnergySec
 
Cobit5 owerwiev and implementation proposal
byEmilio Gratton
 
Structured NERC CIP Process Improvement Using Six Sigma
byEnergySec
 
6 Tools for Improving IT Operations in ICS Environments
byEnergySec
 
Implement cobit in your organization
byCheikh Hamallah DJIBA
 
iDialoghi - ICT Security Consulting
byiDIALOGHI
 
Security Updates Matter: Exploitation for Beginners
byEnergySec
 
How I learned to Stop Worrying and Start Loving the Smart Meter
byEnergySec
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
byEnergySec
 
Compromising Industrial Facilities From 40 Miles Away
byEnergySec
 
Understanding Hacker Tools and Techniques: A live Demonstration
byEnergySec
 
Building an Incident Response Team
byEnergySec
 
Thinking of COBIT implementation – Where to start?
byVyom Labs
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
byenergybiographies
 
Energy Biographies Final Research report
byenergybiographies
 
The grit in the oyster:
byenergybiographies
 
Energy biographies: narrative genres, lifecourse transitions and practice change
byenergybiographies
 

Similar to Cybersecurity for Energy: Moving Beyond Compliance

PPTX
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
PDF
Cyber Security
byNC Military Business Center
 
PPTX
Cybersecurity Training For Sales People.pptx
bysubodh258201
 
PDF
Cybersecurity Challenges - Identifying Key Threats and Trends.pdf
bySeasiaInfotech2
 
PPSX
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
byJames Mulhern
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PPTX
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
PDF
Conférence ENGIE ACSS 2018
byAfrican Cyber Security Summit
 
PPTX
Leveraging Compliance to “Help” Prevent a Future Breach
byKevin Murphy
 
PDF
Fall2015SecurityShow
byAdam Heller
 
PDF
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
DOCX
digital marketing
byabdullahanwarabdulla
 
PDF
Data security in cloud
byInterop
 
PDF
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
byNetworkCollaborators
 
PDF
2019 10-22 axio - taking control of cyber risk - grid-seccon
byAxio
 
PDF
Biznesa infrastruktūras un datu drošības juridiskie aspekti
byebuc
 
PPTX
Iurii Garasym. The future crimes and predestination of cyber security. Though...
byIT Arena
 
PDF
Cybersecurity Summit 2020 Slide Deck
byCimetrics Inc
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PPTX
Your cyber security webinar
byIntergen
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
Cyber Security
byNC Military Business Center
 
Cybersecurity Training For Sales People.pptx
bysubodh258201
 
Cybersecurity Challenges - Identifying Key Threats and Trends.pdf
bySeasiaInfotech2
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
byJames Mulhern
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
Conférence ENGIE ACSS 2018
byAfrican Cyber Security Summit
 
Leveraging Compliance to “Help” Prevent a Future Breach
byKevin Murphy
 
Fall2015SecurityShow
byAdam Heller
 
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
digital marketing
byabdullahanwarabdulla
 
Data security in cloud
byInterop
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
byNetworkCollaborators
 
2019 10-22 axio - taking control of cyber risk - grid-seccon
byAxio
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
byebuc
 
Iurii Garasym. The future crimes and predestination of cyber security. Though...
byIT Arena
 
Cybersecurity Summit 2020 Slide Deck
byCimetrics Inc
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
Your cyber security webinar
byIntergen
 

More from EnergySec

PPTX
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
PPTX
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
byEnergySec
 
PDF
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
PPT
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
byEnergySec
 
PPTX
Explore the Implicit Requirements of the NERC CIP RSAWs
byEnergySec
 
PDF
Unidirectional Network Architectures
byEnergySec
 
PDF
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
byEnergySec
 
PPTX
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
PDF
Please, Come and Hack my SCADA System!
byEnergySec
 
PDF
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
PPTX
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
PPT
Industry Reliability and Security Standards Working Together
byEnergySec
 
PPTX
Where Are All The ICS Attacks?
byEnergySec
 
PPT
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
byEnergySec
 
PPTX
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
byEnergySec
 
PDF
Industrial Technology Trajectory: Running With Scissors
byEnergySec
 
PPT
What the Department of Defense and Energy Sector Can Learn from Each Other
byEnergySec
 
PDF
Wireless Sensor Networks: Nothing is Out of Reach
byEnergySec
 
PDF
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
byEnergySec
 
PDF
Where Cyber Security Meets Operational Value
byEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
byEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
byEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
byEnergySec
 
Unidirectional Network Architectures
byEnergySec
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
byEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
Please, Come and Hack my SCADA System!
byEnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
Industry Reliability and Security Standards Working Together
byEnergySec
 
Where Are All The ICS Attacks?
byEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
byEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
byEnergySec
 
Industrial Technology Trajectory: Running With Scissors
byEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
byEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
byEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
byEnergySec
 
Where Cyber Security Meets Operational Value
byEnergySec
 

Recently uploaded

PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 

Cybersecurity for Energy: Moving Beyond Compliance

  • 1.
    NATIONAL SECURITY •ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY © SAIC. All rights reserved. Cybersecurity for Energy: Moving Beyond Compliance
  • 2.
    SAIC.com © SAIC. Allrights reserved. The Threats Keep Coming…. 2 •  1998: Telephone switch hack closes an airport •  2000: Gazprom central control is hacked •  2000: Australian hacker causes environmental harm by releasing sewage •  2001: Hackers protesting U.S./China conflict enter U.S. electric power systems •  2003: Power outages in northeastern United States occur •  2003: Worm shuts systems down at Davis-Besse nuclear plant •  2006: Zotob virus shuts down Holden car manufacturing plant (Australia) •  2007: Aurora demonstration shows damage a remote hacker can cause physical harm to a generator •  2008: Intruder installed malware causing damage to Sacramento River diverter •  2010: Stuxnet discovered •  2012: Saudi Aramco targeted by Shamoon virus wiping out 30,000 hard drives
  • 3.
    SAIC.com © SAIC. Allrights reserved. ….And Our Defenses Struggle to Keep Up Threat Briefing: Escalating Security Threats 3 •  Attackers prefer lower-tech attack methods if they work •  Attacks are tailored to the defenses they need to breach •  As defenses improve, attacks will escalate to breach them, then step back down •  Improve defenses in one area and attackers move to other areas that are weaker Attacks Defenses Phishing Spear Phishing Published Vulnerabilities: (Browser, App, OS) Web Attacks: (SQL Inject; Cross-Site Script) Credential Harvesting & Abuse: (Keylogger, Pass-the-Hash) 2 factor Compromise: (Session hijack, OTP capture, Cert theft) Break Weak Crypto / Password Zero Day: (Browser, App, OS) Driver / BIOS / Hardware: (Vulnerability, Zero-Day) Hypervisor Breach: (Vulnerability, Zero-Day) Break Strong Cryptography Firewall Anti-Virus Patching Network IDS Host Firewall, Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) Network Segmentation Physical Isolation Hardened operating system Data Protection / Encryption Secure Coding Access Control App Whitelisting App Hardening High Assurance hardware 2-Factor Authentication Log Consolidation In-Memory Malware Detection Increasing Difficulty APT Hackers Hacktivists Viruses Network Breach: (Firewall, Switch, Router) BIOS = Binary Input Output System APT = Advanced Persistent Threat OS = Operating System OTP = One-time Password Cert = Certificate
  • 4.
    SAIC.com © SAIC. Allrights reserved. Cybersecurity is Becoming a Board-level Issue Reuters, October 13, 2011 National Association of Corporate Directors
  • 5.
    SAIC.com © SAIC. Allrights reserved. Turning Cybersecurity Risk Into a Business Risk •  Nuisance Example: Isolated malware infections –  Typically occur at rate of 6% of computers per year –  One oil company estimated cost at $4000 per machine (including productivity losses) 5 •  Slightly Less of a Nuisance: Customer Data Breach Losses –  Ponemon Institute estimated at $194 per record (most of cost is future lost business) –  TJX saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems had 130 million credit card numbers breached in 2009 –  For most customer data breaches, however, the relevant costs are minor as harms are hard to prove and the reputational damage is short-lived •  For utilities, greatest threats through cybersecurity attack are on ability to operate –  Maintaining stability of transmission and distribution grids (preventing widespread outages) –  Keeping hard to replace equipment from being damaged or destroyed (Aurora) –  Protecting human lives (fires, electrocutions, explosions, radiation) –  Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access to bank accounts to pay suppliers) –  Ability to generate and coordinate (independent system operator functions, automated generation control)
  • 6.
    SAIC.com © SAIC. Allrights reserved. What About These “Cyber” Risks? “Examples of true incidents that have been labelled cyber security breaches are as follows: –  a mis-sent email (a strategy document sent to a competitor); –  commercial papers lost on a train; –  a former employee that was not legally prevented from taking bid information to a competitor; –  a laptop left on a plane with passwords attached; and careless use of social media giving away IPR, –  and more frequently, because it's cheaper, the use of social engineering ("new best friends" who buy you drinks all night at the bar, fascinated by your company).” Andrew Fitzmaurice, The Guardian, July 25, 2013 http://www.guardian.co.uk/media-network/media-network-blog/2013/jul/25/cyber-security-board-level-information-technology 6
  • 7.
    SAIC.com © SAIC. Allrights reserved. Organizing Around Business Risk •  The Banking Experience (Basel II/III) –  Organizes risk around categories that can be measured and contribute to organization’s overall risk posture that influence capital requirements 7 Influence on Capital Requirements Market Risk Credit Risk Liquidity Risk Operational Risk Operational Risk Components Legal Human Resources Physical Security/ Facilities Procurement IT (Performance, Security, Capacity) IT – Information Technology
  • 8.
    SAIC.com © SAIC. Allrights reserved. Business Risk for Utilities 8 •  Align by function/business area –  Harder to tie in financial metrics that benefit from lower risk (bond ratings?) Utility Business Risks T&D Reliability Energy Trading Key Equipment Protection Human Safety Operational Risk Operational Risk Cash Flow Compliance Human Resources Facilities IT (Performance, Security, Capacity) T&D – Transmission & Distribution IT- Information Technology
  • 9.
    SAIC.com © SAIC. Allrights reserved. Governance Model 9 •  Who does cybersecurity organization report to? –  In many, it’s the Chief Information Officer –  Can reporting reach executive and board level stakeholders? –  Do policies regularly get the backing of the CEO? •  Budget –  Is the cybersecurity budget tied to major initiatives (transmission expansion, safety initiatives, new substations)? –  Is there a relationship between cybersecurity risk and other major risks? •  As new meters, sensors, and relays are added, is cybersecurity risk adjusted along with its budget? •  Are improvements in grid reliability correlated with improvement in cybersecurity? –  Are cybersecurity budget line items evaluated for how they help reduce major business risks or even other operational risks?
  • 10.
    SAIC.com © SAIC. Allrights reserved. Moving from a Tactical to Risk Management Mindset 10 •  What gets reported? –  Malware infections vs. business disruptions –  Data breaches/lost laptops vs. value at risk –  Attacks blocked vs. threats averted •  How are resources allocated for cybersecurity? Tactical •  Firewall management •  Log management •  Authentication •  Endpoint security •  Server security Risk Management •  T&D grid stability •  Customer data protection •  Energy trading integrity •  Key asset protection •  Health and safety T&D – Transmission & Distribution
  • 11.
    SAIC.com © SAIC. Allrights reserved. From Resistance to Resiliency and Recovery 11 •  Do you know what your response will be if… –  You cannot trust the data coming from your substations –  Customer billing data has been corrupted –  Hackers have brought down your Energy Management System, and you’re not sure if all malware has been removed –  A smart meter firmware update that was just applied contains malicious code that shuts off power and then ceases communication? •  Most utilities run disaster recovery and business continuity drills but usually focus on natural events and not malicious and sentient actors •  While prevention and detection are necessary, successful programs assume response and recovery will be required and plan accordingly
  • 12.
    SAIC.com © SAIC. Allrights reserved. Where to Start 12 •  How can you tell how good a job you are doing? –  Mapping to business risks helps to speak to the board but day to day challenges still require a comprehensive approach –  Frameworks can help if used in the context of business risk •  NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443* •  Need maturity models and means of comparison with peers Electricity Subsector Cybersecurity Capability Maturity Model US Department of Energy Maturity Indicator Levels (MIL): MIL1: Initiated MIL2: Performed MIL3: Managed *See last slide for acronyms
  • 13.
    SAIC.com © SAIC. Allrights reserved. Managing IT Security Capabilities 13 # Functional Area Architect Design Deploy Support Retire Maintain Operate 1 Security Infrastructure Management X X X X X X X 2 Network Admin & Security X X X X X X X 3 Application Security X X X X X X X 4 Endpoint & Server Security X X X X X X X 5 Cryptography & Data Protection X X X X X X X 6 Identity Management & Authentication X X X X X X X 7 Asset Management & Supply Chain X X X X X X X 8 Monitoring & Vulnerability Management X X X X X X X 9 Incident Response X X X X X X X 10 Policy & Audit & E-Discovery & Training X X X X X X X •  Need to apply controls from a lifecycle and functional perspective such as Integrated Strategy & Architecture, Integrated Operations, and Engineering services in each of Ten Functional Areas as indicated below. Strategy & Architecture OperationsEngineering
  • 14.
    SAIC.com © SAIC. Allrights reserved. Along with Some Control System Considerations 14 Bridging the Information Technology (IT) / Operations Technology (OT) divide will be critical to successful program as the threats hit IT first, but the biggest impact is felt on the OT side.
  • 15.
    SAIC.com © SAIC. Allrights reserved. Integrating the Data 15 •  Frameworks operate at 10,000 feet, threats at ground level –  Need automated mechanisms to report current state –  In government, we often use the term “continuous monitoring;” commercially it’s often “enterprise vulnerability management” –  Also need to ensure mandated controls stay current with threats Operations/Engineering Physical Security IT-Telecom/Cybersecurity Roles- based Correlation
  • 16.
    SAIC.com © SAIC. Allrights reserved. Putting It All Together 16 Strategy & Risk Management –  Assessing and Reporting –  Mapping security controls to acceptable risk posture –  Making sure cybersecurity risks are associated with business risks Security Operations –  Monitoring systems and networks for attacks –  Continuously monitoring for vulnerabilities and policy violations –  Aggressively seeking out threat intelligence –  Responding to incidents and assisting with the recovery Security Engineering –  Researching new protection techniques –  Designing, deploying, and supporting new security tools and technologies –  Aligning security tools, techniques, and technologies with organization’s culture and business drivers Governance & Oversight
  • 17.
    SAIC.com © SAIC. Allrights reserved. Budgets: How Much Security is Enough? 17 •  The industry norms –  Cybersecurity budgets in all industries tend to range from 3 to 10% of information technology budget –  For utilities, that number is closer to 3-5% –  IT budgets vary considerably by industry given different ways revenue is generated –  For many, 2-5% of revenue is typical for an IT budget –  For energy companies, operations technology (such as control systems) may be additional •  Criteria for additional expenditures –  Regulatory compliance (as much as 50% of security budget) –  Requirements to meet business continuity objectives –  Desire to meet industry best practices (such as encryption of all removable storage) –  Changing threat landscape –  Easily exploitable vulnerabilities –  Achieving acceptable risk posture (most subjective & hardest to substantiate)
  • 18.
    SAIC.com © SAIC. Allrights reserved. Example: Incorporating New Threats 18 •  Stuxnet –  Highly targeted and advanced attack on an Iranian nuclear power plant –  Included several “zero day” exploits (malicious software targeting vulnerabilities that had not been publicly known –  Likely introduced into “air-gapped” environment through flash drive Updating security policy and related controls Removable Media Practices “Out of band” monitoring Application Whitelisting Obtain buy-in from senior management Tie changes to key business objectives (such as key asset protection) Update budget Update policies & train employees Deploy software Integrate technology
  • 19.
    SAIC.com © SAIC. Allrights reserved. 19 In Summary Keys for Successful Security Program Compliance Through Lower Risk Crossing Organization Boundaries A Strategic Approach Future Aware Holistic Security Approach
  • 20.
    Discussion For more informationcontact: Gib Sorebo SAIC Vice President /Chief Cybersecurity Technologist phone: 703-676-2605 | email: [email protected]
  • 21.
    SAIC.com © SAIC. Allrights reserved. Acronyms 21 NERC – North American Electric Reliability Corporation CIP – Critical Infrastructure Protection NIST SP – National Institute for Standards and Technology Special Publication ISO – International Standards Organization IEC – International Electrotechnical Commission