Emerson Ovation User Group BOD Meeting

National Electric Sector
Cybersecurity Organization
Patrick C Miller, President and CEO
April 14 2011
Emerson Ovation User Group
Board of Directors Meeting

ELECTRIC SECTOR
SECURITY: CURRENT STATE

Advantage: Adversaries
• Security approaches favor new installations,
legacy environments are still vulnerable
• Very difficult to replace/patch in-service devices
• Isolation has diminishing security value
• Security products vs. buying secure products
• Engineering (N-1) and Security are different
– Nature may be sophisticated, but it isn’t malicious
• Hackers don’t use a compliance checklist
– Following a compliance checklist won’t make you
secure
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 2

Advantage: Attackers
• Intelligent, adaptive adversaries exist
• Cyberwar:
– Stuxnet is a game changer, sets the new bar
• Espionage:
– Project, market and customer data
• Organized crime:
– Same old tricks, new platform


Advantage: Adversaries
• Google search for “APT”
– 34 hits in Jul 09
– 169 hits in Jan 10
– 1.4M+ today
• Google search for “cyber war”
– 416 hits Dec 09
– 1.4M hits Feb 10
– 2.7M+ hits today
• Welcome to the cyberarms race


SHODAN, ERIPP, ETC


SHODAN, ERIPP, ETC

Berkeley Cyclotron HMI images

The “Air-Gap” Myth


TwitBookBlogosphere


There’s An App For That

• “Get mobile access to your
control system via an
iPhone, iPad, Android and other
smartphones and tablet devices.
The Ignition Mobile Module
gives you instant access to any
HMI / SCADA project created
with the Ignition Vision Module.”


HMI In The Cloud
“Use any standard browser on any
device to access HMI. No
downloads, no tedious installs, no
plug-ins. Login and you have the
HMI in your hands wherever you
are: factory cafeteria, or parking
lot, or on the beach, or even the
golf course!”
“GoToMyHMI provides Secure, Easy and Fast access
from any Browser to InstantHMI 6.0, ready to serve you
on the cloud today. Remotely Monitor, ACK Alarms and
Control your HMI for one low flat fee.”


Public Domain


Research and Disclosure
46 zero-day SCADA vulnerabilities issued a two-week
span


Research and Disclosure
• October 24, 2010, 12:39PM, Threat Post
– SCADA Vendors Still Need Security Wake Up Call
• http://threatpost.com/en_us/blogs/scada-vendors-still-need-security-wake-call-102410

– “Please don’t waste my time”

• October 28, 2010: ICSJWG Seattle Meeting
– Invensys, IOActive, ICS-CERT presented on case
study on Wonderware vulnerability

• Disclosure positions are hotly debated


From Obscurity To Novelty
• Smart Meter hacking
• Hacking cookbooks
• Metasploit, Core Impact, etc
• Fuzzers
• Supply chain attacks
• Manuals available in all languages on Internet


Shiny Object
• Shiny object for the mass media
• 60 minutes
• Wall Street Journal, National Journal, CNN
• Too many IT trade publications to name
• Blockbuster films
• Prime time television shows
• Social Media (blogosphere, Twitter)


Economic Drivers
• Recession economy brings unique challenges
• Decreased participation working groups and
conferences
• Static or shrinking headcount; increased
workload
• Downsizing, pay freezes, etc increase insider
threat
• Decreased spending on new equipment
• Older products extended beyond intended
lifespan

• Security more expensive for customers and

People Problem
• Humans are the weakest link in any security
system
– Passwords for candy; Social engineering
• Humans are also the strongest link
– The Aware Person System (APS)
– ICS culture shift is very slow, but powerful
• Danger: untrained operators of power
tools can cause significant damage
– Increasing complexity = training treadmill


Back In The Good Old
Days
• Pneumatic, electromechanical, analog
• Telephone meant POTS or “bat phone” – no
VoIP
• No Internet
• Less automation
• Less complexity
• Proprietary
• Long life span


ICS Gen-X
• Automation, more complexity
• Internet Protocol (TCP/UDP/etc)
• Data, more data and even more data
• Processing power, memory, bandwidth
• Interconnected business
• Migration from flat to segmented networks
• COTS software and hardware
• Increasingly shorter lifespans


Millennium Systems
• Highly digital, highly complex
• Highly interconnected, highly layered
• Bitflocking, dynamic emergent behavior
• New protocols
• New interdependencies
• Homogenization
• Innovation treadmill; constant lifespan flux


Current Landscape
• Regulatory compliance is stealing the show
• Mixing legacy and bleeding edge tech is difficult
• Logical distance between kinetic endpoint and
HMI is exponentially increasing;
“hyperembeddedness”
• Many vendors are forced to put features ahead
of security due to market conditions
• Researchers and hackers know all of this and
more
• Sufficient motive, means and opportunity exist to

take the threat seriously

NATIONAL ELECTRIC SECTOR
CYBERSECURITY
ORGANIZATION

History
• 7/2004: EnergySec founded as E-Sec NW
• 1/2008: SANS Information Sharing Award
• 12/2008: Incorporated as EnergySec
• 10/2009: 501(c)(3) nonprofit determination
• 4/2010: EnergySec applied for National
Electric Sector Cybersecurity Organization
(NESCO) FOA
• 7/2010: NESCO grant award from DOE
• 10/2010: NESCO became operational

What Is The NESCO?
• Mission: Lead a broad-based, public-private
partnership to improve electric sector energy
systems cyber security; become the security voice
of the electric industry
• Goals:
– Identify and disseminate common, effective cyber security
practices
– Analyze, monitor and relay infrastructure threat information
– Focus cybersecurity research and development priorities
– Work with federal agencies to improve electric sector cyber
security
– Encourage key electric sector supplier and vendor support
/ interaction

Participant Statistics
651 members from 167 organizations
US Nameplate Generation US Residential Distribution

74% 60%


Holy Grail: Info Sharing
• Many asset owners are already sharing
• Challenges:
– Increase and improve asset-owner sharing
– Establish two-way sharing from the government
and vendor segments
– Connect/harmonize all of the existing
cybersecurity efforts and minimize duplication
– Turn the tide of negative perception on industry
security posture


Connect and Support


Public-Private Perceptions
• Government moves too slowly, over-classifies
and narrowly distributes
• Industry can’t protect the shared information and
doesn’t respond appropriately
• Lack of parity in degree and quality of
information shared in both directions
• Differing goals and motivation between
Government and Industry


How Does This Work?
• Sharing requires trust
• Trust is built on relationships

• NESCO fosters trustworthy
relationships
– Bringing people together
– Flexible technology options to extend
and enhance relationships
– Organic growth; birds of a feather


NESCO Outreach
• NESCO outreach programs
– Annual Summit (October 2011, San Diego)
– Town Hall Meetings (April 27, Austin)
– Voice Of The Industry Meetings (everywhere)
– Interest Groups (Workforce Development, Forensics,
etc)
– Webinars, Briefings
– Portal/Forums
– Email distribution lists
– Social media

NESCO Technology
• Email distribution lists
• Secure portal with forums
• Secure instant messaging
• Rapid notification mechanisms
• Web collaboration
• Resource repository*
• Most technologies have non-
attribution (anonymous)
options

Resource Repository
• Code snippets
• IDS/attack signatures
• Audit templates
• Reference architectures
• System configurations
• Policy, process, procedure templates
• Compliance practices
• And more…


Industry Collaboration
• What works, what doesn’t
• Informal benchmarking
• Situational (tactical) awareness
• Threat and vulnerability analysis
• Shared/crowd-sourced resources (repository)
• Mentoring


Case Study: Tactical Aid
• “Over the weekend between 13:00 - 15:00 and
19:00 - 20:00 PST we saw significant port
scanning of our edge, originating from;
60.29.244.11…”
– Great discussion of port scanning threats
– Many follow up posts with yes/no indicators
– Dumps of all activity from source address


Case Study: Night Dragon
• 2.9.11:1400 - McAfee reached out to NESCO with
pre-release draft of Night Dragon white paper
• 2.9.11:1747 - NESCO staff completed
analysis, summarized paper and posted to secure
portal
• 2.10.11:0800 - NESCO & McAfee held joint
technical call with over 60 attendees across NA
– Dmitri Alperovitch, McAfee's VP Threat Research
– Technical talk, answered questions from members
• 2.10.11:1200 - McAfee executive public call
• NESCO utilities were reviewing the report over six
hours prior to public release

Case Study: DOE Request
• DOE was interested in getting informal "boots on
the ground” feedback quickly
– Question: Does an FBI report about a terrorist
targeting various critical assets help strengthen the
case for your organization to further improve physical
or cyber security? Does it help the business case?
• NESCO was able to collect responses without
attribution and submit a response to DOE in a
matter of a few days
• DOE stated that this rapid method for informal
questions and answers is very valuable to them

Case Study: Compliance
• Much initial confusion and uncertainty around
Regional compliance audits…
– What is the auditor disposition?
– What was the depth and breadth of questions?
– What did they cover?
– What failed and what succeeded?
• Conference calls with entities willing to share
• Real stories of audits were shared
• Real documentation was shared


NESCO Summary
• Unique non-profit, independent, public-private
information sharing organization
• Focused on building trust through relationships
• Security collaboration, facilitation and sharing
hub
• Flexible technology facilitates and catalyzes
information and resource sharing efforts
• Security voice of the electric sector
• Supports existing successful programs

Questions?

Non-profit. Independent. Trusted.

Patrick C Miller, President and CEO
patrick@energysec.org
503-446-1212

Emerson Ovation User Group BOD Meeting

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (6)

Similar to Emerson Ovation User Group BOD Meeting

Similar to Emerson Ovation User Group BOD Meeting (20)

More from EnergySec

More from EnergySec (20)

Recently uploaded

Recently uploaded (20)

Emerson Ovation User Group BOD Meeting