The document discusses cyber threats and opportunities in the electric utility industry arising from increased automation. It notes that while the electric grid has not experienced a significant cyber-related outage, adversaries with the ability to cause outages currently lack motivation. It highlights challenges around securing critical infrastructure systems and controlling access as the industry moves towards cloud-based services, mobile access, and integration of distributed energy resources and smart grid technologies.
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Automation
1. Hype, Hope, and
Happenstance: Cyber Threats
and Opportunities in an Age of
Automation
Georgia Distribution and Transmission
Automation Group
April 2, 2012
Forsyth, GA
2. A Quote
Everybody talks
about
cybersecurity, but
nobody does
anything about it.
-Mark Twain
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 2
4. A Hypothesis
We have yet to see a significant cyber
related outage in the North American
power grid because those who have
the ability to cause such, lack the
motivation to do so.
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 4
5. About Me
Security Professional by choice
Nextel Communications 1997-2000
US Bank Information Security 2000-2001
PacifiCorp Security 2001-2009
WECC CIP Auditor 2009-2010
EnergySec (NESCO) 2010 - ?
7. About EnergySec
7/2004: EnergySec founded as E-Sec NW
1/2008: SANS Information Sharing Award
12/2008: Incorporated as EnergySec
10/2009: 501(c)(3) nonprofit determination
4/2010: EnergySec applied for National Electric Sector
Cybersecurity Organization (NESCO) FOA
7/2010: NESCO grant award from DOE
10/2010: NESCO became operational
8. The System
Greatest engineering achievement of 21st century
1 Trillion watts of generation
850 Billion watts of transmission capacity
150,000 miles of high voltage transmission
Ubiquitous
Average uptime 99.995% (SAIDI = 244)
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 8
9. Smart Gridtopia
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 9
10. But what can I do with it?
Distributed Generation
Demand Response
Market pricing at the consumer level
Frequency Response (EVs)
Renewables integration
Micro Grids
Energy Storage
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 10
11. Automation
Automated Generation Control
Special Protection Systems
Synchrophasor Applications
Load Shedding
Advanced Metering Infrastructures
Centralized Control Systems
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 11
12. There’s an App for That
“Get mobile access to your
control system via an
iPhone, iPad, Android and
other smartphones and tablet
devices. The Ignition Mobile
Module gives you instant
access to any HMI / SCADA
project created with the
Ignition Vision Module.”
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 12
13. To The Cloud!
“Use any standard browser on any
device to access HMI. No
downloads, no tedious installs, no
plug-ins. Login and you have the
HMI in your hands wherever you
are: factory cafeteria, or parking
lot, or on the beach, or even the
golf course!”
“GoToMyHMI provides Secure, Easy and Fast access
from any Browser to InstantHMI 6.0, ready to serve you
on the cloud today. Remotely Monitor, ACK Alarms and
Control your HMI for one low flat fee.”
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 13
14. The Double-edged Sword
Email Fraud/Phishing
Facebook Privacy
Online Banking Online Theft
Computerized Trading Market Manipulation
Smart Grid ???
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 14
15. Attack Surface
EMS Communication
DMS Remote Access
DCS Vendor Support
E-Tagging Supply Chain
Trading [HLWMV]ANs
AGC The Cloud
ICCP Mobile devices
AMI SCADA
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 15
16. Logical Distance Increasing
Clicky-clicky
Whirly-whirly
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 16
17. Today’s Shiny Object
Headline presentations at
BlackHat/DefCon, DerbyCon, RootedCon, B
Sides …
Wall Street Journal, National Journal, CNN
Too many IT trade publications to name
Blockbuster films, prime time TV shows
Person-on-the-street, Congress, White
House
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 17
18. March 2012
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 18
19. From Obscurity to Novelty
Smart Meter hacking
Hacking
cookbooks, fuzzers, sniffers, re
versing
Metasploit, Core Impact, etc
Supply chain attacks
Manuals available in all
languages on Internet
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 19
20. Current Events
Facebook Social Engineering Attack Strikes
NATO
http://www.informationweek.com/news/security/government/232602419
"The top military commander in NATO has been
targeted by attackers wielding fake Facebook
pages.”
Teen Exploits Three Zero-Day Vulns for $60K
Win in Google Chrome Hack Contest
http://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/
"The tall teen, who asked to be identified only by his
handle “Pinkie Pie” … spent just a week and a half to
find the vulnerabilities and craft the exploit, achieving
stability only in the last hours of the contest.”
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 20
21. …To Name a Few
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 21
22. TwitBookBlogosphere
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 22
23. Cybersecurity Landscape
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 23
25. Point, Click, Hack
“In some scarier than your
average security
news, thanks to several
Program Logic Controllers
(PLC) exploits that were
added to Metasploit
today, "hacking SCADA
systems can be push of a
button easy," tweeted HD
Moore, CSO of Rapid7 and
Source: Network World (http://goo.gl/K5xZ7)
Chief Architect of
Metasploit.”
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 25
26. Vulnerability Disclosure
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 26
28. Air-Gaps, Unicorns and
Bigfoot
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 28
29. 10,000 Reasons to Worry
Source: www.wired.com/threatlevel/2012/01/10000-control-systems-online
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 29
30. Technology Landscape
A new digital world order
Lingering legacy
Widespread connectivity
Hyper-embeddedness
Cyber-kinetic impacts
31. Advantage: Adversaries
Intelligent, adaptive
adversaries exist, and
they don’t follow the
rules or compliance
checklists
32. Advantage: Adversaries
Google search for “APT”
– 34 hits in Jul 09
– 169 hits in Jan 10
– 1.2M+ hits June 11
Google search for “cyberwar”
– 416 hits Dec 09
– 1.4M hits Feb 10
– 3.4M+ hits June 11
Welcome to the cyberarms race
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 32
33. What to do?
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 33
34. Nothing New Under The Sun
Mature security practices; highly refined
– Defense in Depth
– Principle of Least Privilege
– Segregation of Duties
– Need to Know
– Availability, Integrity and Confidentiality
No Silver Bullet, 100%, Total Security
Strong protection has never been
easy, inexpensive or quick to implement (pick
two)
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 34
35. Compliance
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 35
36. There ought to be a
Law…???
Laws are
reactionary, not
visionary.
37. Regulatory Landscape
Posse Comitatus Act, 18 U.S.C. 1385
Antitrust Laws
Sherman Antitrus Act, 15 U.S.C. 1-7
Wilson Tariff Act 15, U.S.C. 8-11
Clayton Act 5 of the Federal Trade Commission (FTC), 15 U.S.C. 12-27
Clayton Act 5 of the Federal Trade Commission (FTC), 15 U.S.C. 45(a)
National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. 271
Yes, this is an eye-
chart to make a
Radio Act of 1912
Federal Power Act (p. 13), 16 U.S.C. 791a et seq., 824 et seq.
Radio Act of 1927
Communications Act of 1934 (p.14), 47 U.S.C. 151 et seq.
National Security Act of 1947 (p. 15), 50 U.S.C. 401 et seq.
US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. 1431 et seq.
Defense Production Act of 1950, 50 U.S.C. App. 2061 et seq.
point
State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. 2651a
Brooks Automatic Data Processing Act
Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. 552
Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, 3701 to 3797ee-1
Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, 1961-1968
Federal Advisory Committee Act (p. 20), 5 U.S.C. App., 1-16
War Powers Resolution, 50 U.S.C. Chapter 33, 1541-1548.
Privacy Act of 1974 (p. 20), 5 U.S.C. 552a
Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. 2511, 2518-9,
Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, 1801-1885c
Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, 2000aa-5 to 2000aa-12
Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. 1030
Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030
Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. 2510- 2522, 2701-2712, 3121-3126
Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. 167
Computer Security Act of 1987, 15 U.S.C. 272, 278g-3, 278g-4, 278h
Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. 552a
High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81
Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. 1001 et seq.
Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 37
38. Regulation is Futile
Regulation kills
creativity, innovation, a
nd passion, all of
which are needed to
achieve success in
cybersecurity.
39. NERC CIP in 30 Seconds
CIP-002 - Figure out what needs to be
protected
CIP-003 - Establish policy and programs
CIP-004 - Address personnel issues
CIP-005 - Create electronic perimeters
CIP-006 - Create physical perimeters
CIP-007 - Provide system level security
CIP-008 - Figure out how to respond to
incidents
CIP-009 - Figure out how to recover from
TM
EnergySec The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 3
9
42. Backwards?… Maybe so
Compliance spending increasing
sharply while security spending
is increasing slowly.
Companies find $$ for compliance
while cutting other critical areas.
43. Leverage NERC CIP
CIP spending 25% of IT security
budgets
Get Smarter about spending
Integrate Decisions (IT- Ops–
Compliance)
Secure solutions + Compliance
45. It Can’t Happen
This is nearly always FALSE
Attackers are always seeking
(and finding) new ways to
compromise technology
Obscurity is not a defense.
46. DNS Exfiltration
If you can resolve a DNS
name on a system…
Technique is being actively
used in the wild
In many cases, detection is
the only defense
47. Flank Attacks
RSA – Stolen 2-factor auth token data
Industrial Espionage/Supply Chain
Certificate Authorities
Corporate Networks
Partner Networks
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 47
48. Organized Attackers
Underground markets
Criminal infrastructure
Botnets
Attackers for hire
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 48
49. It Won’t Happen
It most cases, this is
TRUE, but we don’t know
which ones
Somebody WILL be
compromised.
Everybody MIGHT be
compromised
We are becoming a target
50. The Wildebeest Defense
Yes, there are lions, but
there are so many of us
that the chances I’ll get
eaten are small
Can effective against
isolated threats, but
doesn’t help against
common maladies
Doesn’t work if you’re
slow or weak
51. There may be more lions than
you think
HBGary
RSA
Sony
Lockheed Martin
NASDAQ
54. Culturing Security
Treat security like safety
The basics shouldn’t be magic
Distribute the load
Security is everyone’s job
Social engineering is a waste of time
Focus on the solution: training & awareness
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 54
55. No 100% Prevention
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 55
56. And Finally
“The rumors of my death have
been greatly exaggerated.”
-Mark Twain
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 56
57. Thank You!
Steven H Parker
V.P. Technology Research and Projects, EnergySec
Co-Principal Investigator, National Electric Sector Cybersecurity Organization
steve@energysec.org
503.446.1214 (desk)
@es_shp (twitter)
www.energysec.org
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 57
Editor's Notes
We don’t prevent the weather, we prepare for it. Likewise, cybersecurity is not a problem to be solved, it is a risk to be managed.
Which is it? Is the cyber threat overhyped, or under appreciated? The truth is probably somewhere in the middle.
Background is to provide context for my commentsTechnology since childhoodSecurity since 1996, officially since 2000Broad background across many technologiesGive brief description of each jobIntroduce background on EnergySec and NESCO
Everything is being made with a digital component.