• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Call To Arms: Combatting Apathy, Fatigue and Misdirection
 

Call To Arms: Combatting Apathy, Fatigue and Misdirection

on

  • 881 views

EnergySec CEO, Patrick Miller's, opening address to the attendees of the 8th Annual EnergySec Summit in Portland, OR.

EnergySec CEO, Patrick Miller's, opening address to the attendees of the 8th Annual EnergySec Summit in Portland, OR.

Statistics

Views

Total Views
881
Views on SlideShare
390
Embed Views
491

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 491

http://www.energysec.org 491

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Call To Arms: Combatting Apathy, Fatigue and Misdirection Call To Arms: Combatting Apathy, Fatigue and Misdirection Presentation Transcript

    • Call to Arms: Combating Apathy, Fatigue and Misdirection 8th Annual EnergySec Summit World Trade Center Portland, OR September 25 2012
    • Threat Picture Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have people, money and time. But… They sky isn’t falling. The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 2"
    • Technology Picture !  Emergent intelligence !  A new digital world order !  Hyper-connectivity !  Hyper-embeddedness !  Hyper-temporality !  Vulnerabilities abound !  Bolt-ons are imperfect & complex The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 3"
    • Cybersecurity Picture !  Research, espionage, organized crime, cyber/info warfare !  Data is money !  Nation state quality defense is the new norm !  Isolation is extremely difficult !  Cyber-kinetic impacts !  Engineering vs. Security The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 4"
    • Small Is The New Big!  Cyber attacks don’t care about distance or size!  It’s all about connectivity!  Hacker’s are typically lazy, except when they’re not!  Attribution and obfuscation!  Stepping stones
    • Legislative/Regulatory Picture !  Hyperbole, FUD and politics !  Fear the auditor more than attacker !  “Comprehensive” !  Smart Grid security/interoperability !  Data breach disclosure !  Intelligent islanding !  Federal turf wars over critical infrastructure cybersecurity !  Regulatory landscape shift The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 6"
    • Regulation vs. Attitude !  Regulation is easy, until it isn’t –  Toaster to turbine –  Party politics –  Fed vs Fed, Fed vs State vs Local… –  Overlap, cost and fatigue !  Adversaries will always innovate faster than legislative process !  You can prescribe action, but not attitude The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 7"
    • Cybersecurity Law !  Posse Comitatus Act, 18 U.S.C. §1385 !  Antitrust Laws !  Sherman Antitrus Act, 15 U.S.C. §§1-7 !  Wilson Tariff Act 15, U.S.C. §§8-11 !  Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §§12-27 !  Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §45(a) !  National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. §271 !  Radio Act of 1912 !  Federal Power Act (p. 13), 16 U.S.C. §791a et seq., §824 et seq. !  Radio Act of 1927 !  Communications Act of 1934 (p.14), 47 U.S.C. §151 et seq. !  National Security Act of 1947 (p. 15), 50 U.S.C. §401 et seq. !  US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. §1431 et seq. !  Defense Production Act of 1950, 50 U.S.C. App. §2061 et seq. !  State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. §2651a !  Brooks Automatic Data Processing Act !  Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. §552 !  Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, §§3701 to 3797ee-1 !  Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, §§1961-1968 !  Federal Advisory Committee Act (p. 20), 5 U.S.C. App., §§1-16 !  War Powers Resolution, 50 U.S.C. Chapter 33, §§1541-1548. !  Privacy Act of 1974 (p. 20), 5 U.S.C. §552a !  Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. §§2511, 2518-9, !  Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, §§1801-1885c !  Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, §§2000aa-5 to 2000aa-12 !  Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. §1030 !  Computer Fraud and Abuse Act of 1986, 18 U.S.C. §1030 !  Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. §§2510- 2522, 2701-2712, 3121-3126 !  Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. §167 !  Computer Security Act of 1987, 15 U.S.C. §§272, 278g-3, 278g-4, 278h !  Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a !  High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81 !  Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. §1001 et seq. !  Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011 The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 8"
    • Cybersecurity Law !  Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35, §§3501-3549 !  Telecommunications Act of 1996, 47 U.S.C. §609 !  Communications Decency Act of 1996 (p. 27), 47 U.S.C. §§223, 230 !  Clinger-Cohen Act (Information Technology Management Reform Act) of 1996) (p. 28), 40 U.S.C. §11001 et seq. !  Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d et seq. !  Economic Espionage Act of 1996, 18 U.S.C. §1030, Chapter 90, §§1831-1839 !  Identity Theft and Assumption Deterrence Act of 1998 (p. 29), 18 U.S.C. §1028 !  National Defense Authorization Act for Fiscal Year 200, 10 U.S.C. §2224 !  Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Chapter 94, §§6801-6827 !  USA PATRIOT Act of 2001, 18 U.S.C. §1 !  Sarbanes-Oxley Act of 2002, 15 U.S.C. §7262 !  Homeland Security Act of 2002 (HSA) (p. 30), 6 U.S.C. §§121-195c, 441-444, and 481-486 !  Federal Information Security Management Act of 2002 (FISMA) (p. 32), 44 U. S. C. Chapter 35, Subchapters II and III, 40 U.S.C. 11331, 15 U.S.C. 278g-3 & 4 !  Terrorism Risk Insurance Act of 2002 (p. 34), 15 U.S.C. §6701 nt. !  Cyber Security Research and Development Act, 2002 (p. 34), 15 U.S.C. §§278g, h, 7401 et seq. !  E-Government Act of 2002 (p. 36), 5 U.S.C. Chapter 37, 44 U.S.C. §3501 nt.., Chapter 35, Subchapter 2, and Chapter 36 !  Fair and Accurate Credit T ransactions Act of 2003, 15 U.S.C. §1601 !  Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, 15 U.S.C. Chapter 103, §§7701-7713, 18 U.S.C. 1037 !  Identity Theft Penalty Enhancement Act 2004 (p. 37), 18 U.S.C. §§1028, 1028A !  Intelligence Reform and Terrorism Prevention Act of 2004 (IRPTA) (p. 38), 42 U.S. C. §2000ee, 50 U.S.C. §403-1 et seq. , §403-3 et seq. , §404o et. seq. !  Energy Policy Act of 2005 (EPACT), 16 U.S.C. 824o !  Department of Homeland Security Appropriations Act, 2007, 6 U.S.C. §121 nt. !  Protect America Act of 2007, 50 U.S.C. §1801 nt. !  Energy Independence and Security Act of 2007 (EISA), 42 U.S.C. §§17381- 17385 !  Foreign Intelligence Surveillance Act of 1978 [FISA] Amendments Act of 2008, 50 U.S.C. §1801 !  Identity Theft Enforcement and Restitution Act of 2008, 18 U.S.C. §1030 !  Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. §17901 et seq. !  Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011 “…security is an art – and you cannot legislate art.” Comment by Deputy Assistant Director, US DOE The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 9"
    • Do The Right Thing !  “Why don’t they just do the right thing?” –  Comment by House Homeland Security Committee staffer, 2009 !  Dozens of Congressional hearings !  Roughly 150 bills since 2009 !  Executive Order being considered !  No closer to defining what the “right thing” is The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 10"
    • Compliance vs. Security The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 11"
    • Compliance vs. Security !  “I had a nightmare last night. My entire security team had been converted to compliance staff!” –  Comment by former security manager for large U.S. investor owned utility !  Culture of compliance may not be a good thing !  Compliance can both help and hurt security !  There is a point where security and compliance meet – it isn’t always easy to find but it is the best approach toward spending/resourcing The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 12"
    • Sector Spotlight !  Electric sector (SCADA) = new shiny object !  TV, movies, media, blogosphere, Twitter !  Armchair experts and hyperbole !  Other critical infrastructures, nation states !  Smart Grid fever will drive more attention !  The mania will intensify in the near term !  Very little actuarial data to form risk models The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 13"
    • Resources Are Scarce !  Not enough qualified security pros available !  Very complex range of skills needed to match operational technologies, security tools and business (compliance) risk !  Active “cannibalization” of talent within sector !  Few qualified auditors and consultants !  Artificial demand in market increases costs The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 14"
    • Vendor Relationships !  Most vendors put features first, security second !  ARRA and other “green/clean” dollars are fueling corporate consumerism !  You are being given old technology as new and new technology that hasn’t been tested !  Interoperability standards, SCADA Procurement Language, code reviews, etc !  100% secure does not and will not exist !  Security testing in FAT, and again in SAT !  Vulnerability disclosure ripple effect The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 15"
    • Negative Perceptions !  Too many cases of lowering security to achieve strict compliance to NERC CIP standards – while possibly [potentially] reducing reliability !  Too few Critical Assets and Critical Cyber Assets !  CIPS is more about accountability than security !  Future changes to CIPS are slow and inadequate !  Virtually no change in over 6 years !  Industry is actively trying to minimize and stall !  CIP Version 5 has one more “round” - or else… The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 16"
    • Regulation Will Get Muddy !  Accountability baseline still forming !  Consensus is not possible; ANSI flaws !  Region/NERC/FERC relationship is unstable !  Data breach laws are coming !  Overlapping regulations (SOX, PCI, CFATS, MTSA, Pipeline Safety, NRC…) !  Heavy politics attached to grid security !  Who’s got the cybersecurity authority today? The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 17"
    • Recommendations !  Realize that you are a target; act accordingly !  Prepare for the spotlight and microscope !  Build a compliance program that can embrace any regulatory regime – even DHS (think TSA) !  CIPS is only the beginning, expect more !  Don’t wait for the next regulation to get started implementing controls The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 18"
    • Recommendations !  Start with an evaluation of risk and capability !  Adopt a risk management framework !  Automate compliance from sound business process, but don’t under-resource –  Security technology requires humans !  Consider continuous monitoring approach !  Manage like other risks in portfolio !  Communication is key; customers, stakeholders The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 19"
    • EnergySec Needs You !  Volunteer programs –  Tactical Analysis Center –  Best Practices Repository –  Community-driven efforts (Working Groups, task force, whitepapers, etc) !  Financial support –  NESCO must be sustained by industry –  TAC subscriptions –  Organizational or individual membership –  Donations/sponsorships The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 20"
    • Break The Mold “You cannot solve a problem from the same consciousness that created it. You must learn to see the world anew.” - Albert Einstein The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 21"
    • Questions Patrick C Miller President & CEO patrick.miller@energysec.org 503.272.1414) @patrickcmiller (twitter) www.energysec.org The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 22"