SlideShare a Scribd company logo

Call To Arms: Combatting Apathy, Fatigue and Misdirection

EnergySec
EnergySec

EnergySec CEO, Patrick Miller's, opening address to the attendees of the 8th Annual EnergySec Summit in Portland, OR.

Technology
1 of 22
Call to Arms: Combating Apathy, Fatigue and Misdirection 8th Annual EnergySec Summit World Trade Center Portland, OR September 25 2012
Threat Picture Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have people, money and time. But… They sky isn’t falling. The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 2"
Technology Picture !  Emergent intelligence !  A new digital world order !  Hyper-connectivity !  Hyper-embeddedness !  Hyper-temporality !  Vulnerabilities abound !  Bolt-ons are imperfect & complex The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 3"
Cybersecurity Picture !  Research, espionage, organized crime, cyber/info warfare !  Data is money !  Nation state quality defense is the new norm !  Isolation is extremely difficult !  Cyber-kinetic impacts !  Engineering vs. Security The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 4"
Small Is The New Big !  Cyber attacks don’t care about distance or size !  It’s all about connectivity !  Hacker’s are typically lazy, except when they’re not !  Attribution and obfuscation !  Stepping stones
Legislative/Regulatory Picture !  Hyperbole, FUD and politics !  Fear the auditor more than attacker !  “Comprehensive” !  Smart Grid security/interoperability !  Data breach disclosure !  Intelligent islanding !  Federal turf wars over critical infrastructure cybersecurity !  Regulatory landscape shift The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 6"
Regulation vs. Attitude !  Regulation is easy, until it isn’t –  Toaster to turbine –  Party politics –  Fed vs Fed, Fed vs State vs Local… –  Overlap, cost and fatigue !  Adversaries will always innovate faster than legislative process !  You can prescribe action, but not attitude The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 7"
Cybersecurity Law !  Posse Comitatus Act, 18 U.S.C. §1385 !  Antitrust Laws !  Sherman Antitrus Act, 15 U.S.C. §§1-7 !  Wilson Tariff Act 15, U.S.C. §§8-11 !  Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §§12-27 !  Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §45(a) !  National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. §271 !  Radio Act of 1912 !  Federal Power Act (p. 13), 16 U.S.C. §791a et seq., §824 et seq. !  Radio Act of 1927 !  Communications Act of 1934 (p.14), 47 U.S.C. §151 et seq. !  National Security Act of 1947 (p. 15), 50 U.S.C. §401 et seq. !  US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. §1431 et seq. !  Defense Production Act of 1950, 50 U.S.C. App. §2061 et seq. !  State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. §2651a !  Brooks Automatic Data Processing Act !  Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. §552 !  Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, §§3701 to 3797ee-1 !  Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, §§1961-1968 !  Federal Advisory Committee Act (p. 20), 5 U.S.C. App., §§1-16 !  War Powers Resolution, 50 U.S.C. Chapter 33, §§1541-1548. !  Privacy Act of 1974 (p. 20), 5 U.S.C. §552a !  Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. §§2511, 2518-9, !  Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, §§1801-1885c !  Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, §§2000aa-5 to 2000aa-12 !  Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. §1030 !  Computer Fraud and Abuse Act of 1986, 18 U.S.C. §1030 !  Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. §§2510- 2522, 2701-2712, 3121-3126 !  Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. §167 !  Computer Security Act of 1987, 15 U.S.C. §§272, 278g-3, 278g-4, 278h !  Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a !  High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81 !  Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. §1001 et seq. !  Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011 The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 8"
Cybersecurity Law !  Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35, §§3501-3549 !  Telecommunications Act of 1996, 47 U.S.C. §609 !  Communications Decency Act of 1996 (p. 27), 47 U.S.C. §§223, 230 !  Clinger-Cohen Act (Information Technology Management Reform Act) of 1996) (p. 28), 40 U.S.C. §11001 et seq. !  Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d et seq. !  Economic Espionage Act of 1996, 18 U.S.C. §1030, Chapter 90, §§1831-1839 !  Identity Theft and Assumption Deterrence Act of 1998 (p. 29), 18 U.S.C. §1028 !  National Defense Authorization Act for Fiscal Year 200, 10 U.S.C. §2224 !  Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Chapter 94, §§6801-6827 !  USA PATRIOT Act of 2001, 18 U.S.C. §1 !  Sarbanes-Oxley Act of 2002, 15 U.S.C. §7262 !  Homeland Security Act of 2002 (HSA) (p. 30), 6 U.S.C. §§121-195c, 441-444, and 481-486 !  Federal Information Security Management Act of 2002 (FISMA) (p. 32), 44 U. S. C. Chapter 35, Subchapters II and III, 40 U.S.C. 11331, 15 U.S.C. 278g-3 & 4 !  Terrorism Risk Insurance Act of 2002 (p. 34), 15 U.S.C. §6701 nt. !  Cyber Security Research and Development Act, 2002 (p. 34), 15 U.S.C. §§278g, h, 7401 et seq. !  E-Government Act of 2002 (p. 36), 5 U.S.C. Chapter 37, 44 U.S.C. §3501 nt.., Chapter 35, Subchapter 2, and Chapter 36 !  Fair and Accurate Credit T ransactions Act of 2003, 15 U.S.C. §1601 !  Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, 15 U.S.C. Chapter 103, §§7701-7713, 18 U.S.C. 1037 !  Identity Theft Penalty Enhancement Act 2004 (p. 37), 18 U.S.C. §§1028, 1028A !  Intelligence Reform and Terrorism Prevention Act of 2004 (IRPTA) (p. 38), 42 U.S. C. §2000ee, 50 U.S.C. §403-1 et seq. , §403-3 et seq. , §404o et. seq. !  Energy Policy Act of 2005 (EPACT), 16 U.S.C. 824o !  Department of Homeland Security Appropriations Act, 2007, 6 U.S.C. §121 nt. !  Protect America Act of 2007, 50 U.S.C. §1801 nt. !  Energy Independence and Security Act of 2007 (EISA), 42 U.S.C. §§17381- 17385 !  Foreign Intelligence Surveillance Act of 1978 [FISA] Amendments Act of 2008, 50 U.S.C. §1801 !  Identity Theft Enforcement and Restitution Act of 2008, 18 U.S.C. §1030 !  Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. §17901 et seq. !  Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011 “…security is an art – and you cannot legislate art.” Comment by Deputy Assistant Director, US DOE The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 9"
Do The Right Thing !  “Why don’t they just do the right thing?” –  Comment by House Homeland Security Committee staffer, 2009 !  Dozens of Congressional hearings !  Roughly 150 bills since 2009 !  Executive Order being considered !  No closer to defining what the “right thing” is The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 10"
Compliance vs. Security The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 11"
Compliance vs. Security !  “I had a nightmare last night. My entire security team had been converted to compliance staff!” –  Comment by former security manager for large U.S. investor owned utility !  Culture of compliance may not be a good thing !  Compliance can both help and hurt security !  There is a point where security and compliance meet – it isn’t always easy to find but it is the best approach toward spending/resourcing The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 12"
Sector Spotlight !  Electric sector (SCADA) = new shiny object !  TV, movies, media, blogosphere, Twitter !  Armchair experts and hyperbole !  Other critical infrastructures, nation states !  Smart Grid fever will drive more attention !  The mania will intensify in the near term !  Very little actuarial data to form risk models The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 13"
Resources Are Scarce !  Not enough qualified security pros available !  Very complex range of skills needed to match operational technologies, security tools and business (compliance) risk !  Active “cannibalization” of talent within sector !  Few qualified auditors and consultants !  Artificial demand in market increases costs The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 14"
Vendor Relationships !  Most vendors put features first, security second !  ARRA and other “green/clean” dollars are fueling corporate consumerism !  You are being given old technology as new and new technology that hasn’t been tested !  Interoperability standards, SCADA Procurement Language, code reviews, etc !  100% secure does not and will not exist !  Security testing in FAT, and again in SAT !  Vulnerability disclosure ripple effect The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 15"
Negative Perceptions !  Too many cases of lowering security to achieve strict compliance to NERC CIP standards – while possibly [potentially] reducing reliability !  Too few Critical Assets and Critical Cyber Assets !  CIPS is more about accountability than security !  Future changes to CIPS are slow and inadequate !  Virtually no change in over 6 years !  Industry is actively trying to minimize and stall !  CIP Version 5 has one more “round” - or else… The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 16"
Regulation Will Get Muddy !  Accountability baseline still forming !  Consensus is not possible; ANSI flaws !  Region/NERC/FERC relationship is unstable !  Data breach laws are coming !  Overlapping regulations (SOX, PCI, CFATS, MTSA, Pipeline Safety, NRC…) !  Heavy politics attached to grid security !  Who’s got the cybersecurity authority today? The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 17"
Recommendations !  Realize that you are a target; act accordingly !  Prepare for the spotlight and microscope !  Build a compliance program that can embrace any regulatory regime – even DHS (think TSA) !  CIPS is only the beginning, expect more !  Don’t wait for the next regulation to get started implementing controls The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 18"
Recommendations !  Start with an evaluation of risk and capability !  Adopt a risk management framework !  Automate compliance from sound business process, but don’t under-resource –  Security technology requires humans !  Consider continuous monitoring approach !  Manage like other risks in portfolio !  Communication is key; customers, stakeholders The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 19"
EnergySec Needs You !  Volunteer programs –  Tactical Analysis Center –  Best Practices Repository –  Community-driven efforts (Working Groups, task force, whitepapers, etc) !  Financial support –  NESCO must be sustained by industry –  TAC subscriptions –  Organizational or individual membership –  Donations/sponsorships The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 20"
Break The Mold “You cannot solve a problem from the same consciousness that created it. You must learn to see the world anew.” - Albert Einstein The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 21"
Questions Patrick C Miller President & CEO patrick.miller@energysec.org 503.272.1414) @patrickcmiller (twitter) www.energysec.org The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 22"

Recommended

Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
EnergySec
 
Courts
Courts Courts
Courts
atrantham
 
"Human Target: How Small Arms Production, Trade and Use affect Health and Dev...
"Human Target: How Small Arms Production, Trade and Use affect Health and Dev..."Human Target: How Small Arms Production, Trade and Use affect Health and Dev...
"Human Target: How Small Arms Production, Trade and Use affect Health and Dev...
Geneva Declaration
 
Organization of the us court system
Organization of the us court systemOrganization of the us court system
Organization of the us court system
markathebest7
 
The United States Court System
The United States Court SystemThe United States Court System
The United States Court System
Robo965
 
Dual court system
Dual court systemDual court system
Dual court system
jkegg
 
Drug smuggling
Drug smugglingDrug smuggling
Drug smuggling
joe133
 
The Judicial Branch
The Judicial BranchThe Judicial Branch
The Judicial Branch
rcambou
 

Recommended

Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
EnergySec
 
Courts
Courts Courts
Courts
atrantham
 
"Human Target: How Small Arms Production, Trade and Use affect Health and Dev...
"Human Target: How Small Arms Production, Trade and Use affect Health and Dev..."Human Target: How Small Arms Production, Trade and Use affect Health and Dev...
"Human Target: How Small Arms Production, Trade and Use affect Health and Dev...
Geneva Declaration
 
Organization of the us court system
Organization of the us court systemOrganization of the us court system
Organization of the us court system
markathebest7
 
The United States Court System
The United States Court SystemThe United States Court System
The United States Court System
Robo965
 
Dual court system
Dual court systemDual court system
Dual court system
jkegg
 
Drug smuggling
Drug smugglingDrug smuggling
Drug smuggling
joe133
 
The Judicial Branch
The Judicial BranchThe Judicial Branch
The Judicial Branch
rcambou
 
Pássaro de Fogo
Pássaro de FogoPássaro de Fogo
Pássaro de Fogo
Hercules Santhus
 
Arms trade by Alvaro Ruiz
Arms trade by Alvaro RuizArms trade by Alvaro Ruiz
Arms trade by Alvaro Ruiz
Almudena Vicente-Franqueira Díez
 
International Business Environment - Arms Trade
International Business Environment - Arms TradeInternational Business Environment - Arms Trade
International Business Environment - Arms Trade
Prosenjit Sarkar, CLDM®, Prince2® Practitioner
 
arms trafficking
arms traffickingarms trafficking
arms trafficking
sanju249
 
The Arms Trade Treaty: An Industry Perspective
The Arms Trade Treaty: An Industry PerspectiveThe Arms Trade Treaty: An Industry Perspective
The Arms Trade Treaty: An Industry Perspective
Green Light Exports Consulting Ltd
 
The us federal court system & supreme court
The us federal court system & supreme courtThe us federal court system & supreme court
The us federal court system & supreme court
pjosephchs
 
Organization Of U.S. Court System
Organization Of U.S. Court SystemOrganization Of U.S. Court System
Organization Of U.S. Court System
Bryan Toth
 
Nuclear Arms Race
Nuclear Arms RaceNuclear Arms Race
Nuclear Arms Race
Trwolfgang
 
The Judicial Branch | The US Supreme Court
The Judicial Branch | The US Supreme CourtThe Judicial Branch | The US Supreme Court
The Judicial Branch | The US Supreme Court
Aquinas College Economics Department
 
Nuclear Arms Race Power Point Project
Nuclear Arms Race Power Point ProjectNuclear Arms Race Power Point Project
Nuclear Arms Race Power Point Project
eric loper
 
The American legal system: An overview
The American legal system: An overviewThe American legal system: An overview
The American legal system: An overview
Dan Kennedy
 
One Security Device to Rule Them All
One Security Device to Rule Them AllOne Security Device to Rule Them All
One Security Device to Rule Them All
InnoTech
 
GARRIE.REEVES.37.5
GARRIE.REEVES.37.5GARRIE.REEVES.37.5
GARRIE.REEVES.37.5
Law & Forensics
 
Journal of Physical Security 7(1)
Journal of Physical Security 7(1)Journal of Physical Security 7(1)
Journal of Physical Security 7(1)
Roger Johnston
 
cyber security and impact on national security (3)
cyber security and impact on national security (3)cyber security and impact on national security (3)
cyber security and impact on national security (3)
Tughral Yamin
 
6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt
6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt
6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt
ChayaSorir
 
Stanford Business School Case Study on Chips & Science Act: Keith Krach
Stanford Business School Case Study on Chips & Science Act: Keith Krach Stanford Business School Case Study on Chips & Science Act: Keith Krach
Stanford Business School Case Study on Chips & Science Act: Keith Krach
Keith Krach
 
Karen Cook: Technology Outspacing Constitution
Karen Cook: Technology Outspacing ConstitutionKaren Cook: Technology Outspacing Constitution
Karen Cook: Technology Outspacing Constitution
merlyna
 
Why Are We Being Watched?
Why Are We Being Watched?Why Are We Being Watched?
Why Are We Being Watched?
Crystal Miller
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
Thanuja Seneviratne
 
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
blogzilla
 
Cyber terrorism fact or fiction - 2011
Cyber terrorism fact or fiction - 2011Cyber terrorism fact or fiction - 2011
Cyber terrorism fact or fiction - 2011
hassanzadeh20
 

More Related Content

Viewers also liked

The us federal court system & supreme court
The us federal court system & supreme courtThe us federal court system & supreme court
The us federal court system & supreme court
pjosephchs
 
Organization Of U.S. Court System
Organization Of U.S. Court SystemOrganization Of U.S. Court System
Organization Of U.S. Court System
Bryan Toth
 
Nuclear Arms Race
Nuclear Arms RaceNuclear Arms Race
Nuclear Arms Race
Trwolfgang
 
Nuclear Arms Race Power Point Project
Nuclear Arms Race Power Point ProjectNuclear Arms Race Power Point Project
Nuclear Arms Race Power Point Project
eric loper
 

Viewers also liked (11)

Pássaro de Fogo
Pássaro de FogoPássaro de Fogo
Pássaro de Fogo
 
Arms trade by Alvaro Ruiz
Arms trade by Alvaro RuizArms trade by Alvaro Ruiz
Arms trade by Alvaro Ruiz
 
International Business Environment - Arms Trade
International Business Environment - Arms TradeInternational Business Environment - Arms Trade
International Business Environment - Arms Trade
 
arms trafficking
arms traffickingarms trafficking
arms trafficking
 
The Arms Trade Treaty: An Industry Perspective
The Arms Trade Treaty: An Industry PerspectiveThe Arms Trade Treaty: An Industry Perspective
The Arms Trade Treaty: An Industry Perspective
 
The us federal court system & supreme court
The us federal court system & supreme courtThe us federal court system & supreme court
The us federal court system & supreme court
 
Organization Of U.S. Court System
Organization Of U.S. Court SystemOrganization Of U.S. Court System
Organization Of U.S. Court System
 
Nuclear Arms Race
Nuclear Arms RaceNuclear Arms Race
Nuclear Arms Race
 
The Judicial Branch | The US Supreme Court
The Judicial Branch | The US Supreme CourtThe Judicial Branch | The US Supreme Court
The Judicial Branch | The US Supreme Court
 
Nuclear Arms Race Power Point Project
Nuclear Arms Race Power Point ProjectNuclear Arms Race Power Point Project
Nuclear Arms Race Power Point Project
 
The American legal system: An overview
The American legal system: An overviewThe American legal system: An overview
The American legal system: An overview
 

Similar to Call To Arms: Combatting Apathy, Fatigue and Misdirection

cyber security and impact on national security (3)
cyber security and impact on national security (3)cyber security and impact on national security (3)
cyber security and impact on national security (3)
Tughral Yamin
 
Stanford Business School Case Study on Chips & Science Act: Keith Krach
Stanford Business School Case Study on Chips & Science Act: Keith Krach Stanford Business School Case Study on Chips & Science Act: Keith Krach
Stanford Business School Case Study on Chips & Science Act: Keith Krach
Keith Krach
 
Karen Cook: Technology Outspacing Constitution
Karen Cook: Technology Outspacing ConstitutionKaren Cook: Technology Outspacing Constitution
Karen Cook: Technology Outspacing Constitution
merlyna
 
Cyber terrorism fact or fiction - 2011
Cyber terrorism fact or fiction - 2011Cyber terrorism fact or fiction - 2011
Cyber terrorism fact or fiction - 2011
hassanzadeh20
 
Securityand policing2015(2.05)
Securityand policing2015(2.05)Securityand policing2015(2.05)
Securityand policing2015(2.05)
guest7227c5
 
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxReview DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
ronak56
 
ECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through BlacECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through Blac
EvonCanales257
 
News letter aug 11
News letter aug 11News letter aug 11
News letter aug 11
captsbtyagi
 

Similar to Call To Arms: Combatting Apathy, Fatigue and Misdirection (20)

One Security Device to Rule Them All
One Security Device to Rule Them AllOne Security Device to Rule Them All
One Security Device to Rule Them All
 
GARRIE.REEVES.37.5
GARRIE.REEVES.37.5GARRIE.REEVES.37.5
GARRIE.REEVES.37.5
 
Journal of Physical Security 7(1)
Journal of Physical Security 7(1)Journal of Physical Security 7(1)
Journal of Physical Security 7(1)
 
cyber security and impact on national security (3)
cyber security and impact on national security (3)cyber security and impact on national security (3)
cyber security and impact on national security (3)
 
6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt
6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt
6b3de471-b100-483c-9df1-fc6afb92fb5f-151219150001.ppt
 
Stanford Business School Case Study on Chips & Science Act: Keith Krach
Stanford Business School Case Study on Chips & Science Act: Keith Krach Stanford Business School Case Study on Chips & Science Act: Keith Krach
Stanford Business School Case Study on Chips & Science Act: Keith Krach
 
Karen Cook: Technology Outspacing Constitution
Karen Cook: Technology Outspacing ConstitutionKaren Cook: Technology Outspacing Constitution
Karen Cook: Technology Outspacing Constitution
 
Why Are We Being Watched?
Why Are We Being Watched?Why Are We Being Watched?
Why Are We Being Watched?
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
 
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
 
Cyber terrorism fact or fiction - 2011
Cyber terrorism fact or fiction - 2011Cyber terrorism fact or fiction - 2011
Cyber terrorism fact or fiction - 2011
 
Evolution of US Approaches to Internet Regulation
Evolution of US Approaches to Internet RegulationEvolution of US Approaches to Internet Regulation
Evolution of US Approaches to Internet Regulation
 
Securityand policing2015(2.05)
Securityand policing2015(2.05)Securityand policing2015(2.05)
Securityand policing2015(2.05)
 
Surveillance
SurveillanceSurveillance
Surveillance
 
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxReview DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
 
IT_Cutter_Publication
IT_Cutter_PublicationIT_Cutter_Publication
IT_Cutter_Publication
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And Surveillance
 
CST 20363 Session 6 Cybersecurity Policy
CST 20363 Session 6 Cybersecurity PolicyCST 20363 Session 6 Cybersecurity Policy
CST 20363 Session 6 Cybersecurity Policy
 
ECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through BlacECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through Blac
 
News letter aug 11
News letter aug 11News letter aug 11
News letter aug 11
 

More from EnergySec

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
EnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
EnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
EnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
EnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
EnergySec
 

More from EnergySec (20)

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Call To Arms: Combatting Apathy, Fatigue and Misdirection

  • 1. Call to Arms: Combating Apathy, Fatigue and Misdirection 8th Annual EnergySec Summit World Trade Center Portland, OR September 25 2012
  • 2. Threat Picture Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have people, money and time. But… They sky isn’t falling. The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 2"
  • 3. Technology Picture !  Emergent intelligence !  A new digital world order !  Hyper-connectivity !  Hyper-embeddedness !  Hyper-temporality !  Vulnerabilities abound !  Bolt-ons are imperfect & complex The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 3"
  • 4. Cybersecurity Picture !  Research, espionage, organized crime, cyber/info warfare !  Data is money !  Nation state quality defense is the new norm !  Isolation is extremely difficult !  Cyber-kinetic impacts !  Engineering vs. Security The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 4"
  • 5. Small Is The New Big !  Cyber attacks don’t care about distance or size !  It’s all about connectivity !  Hacker’s are typically lazy, except when they’re not !  Attribution and obfuscation !  Stepping stones
  • 6. Legislative/Regulatory Picture !  Hyperbole, FUD and politics !  Fear the auditor more than attacker !  “Comprehensive” !  Smart Grid security/interoperability !  Data breach disclosure !  Intelligent islanding !  Federal turf wars over critical infrastructure cybersecurity !  Regulatory landscape shift The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 6"
  • 7. Regulation vs. Attitude !  Regulation is easy, until it isn’t –  Toaster to turbine –  Party politics –  Fed vs Fed, Fed vs State vs Local… –  Overlap, cost and fatigue !  Adversaries will always innovate faster than legislative process !  You can prescribe action, but not attitude The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 7"
  • 8. Cybersecurity Law !  Posse Comitatus Act, 18 U.S.C. §1385 !  Antitrust Laws !  Sherman Antitrus Act, 15 U.S.C. §§1-7 !  Wilson Tariff Act 15, U.S.C. §§8-11 !  Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §§12-27 !  Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §45(a) !  National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. §271 !  Radio Act of 1912 !  Federal Power Act (p. 13), 16 U.S.C. §791a et seq., §824 et seq. !  Radio Act of 1927 !  Communications Act of 1934 (p.14), 47 U.S.C. §151 et seq. !  National Security Act of 1947 (p. 15), 50 U.S.C. §401 et seq. !  US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. §1431 et seq. !  Defense Production Act of 1950, 50 U.S.C. App. §2061 et seq. !  State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. §2651a !  Brooks Automatic Data Processing Act !  Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. §552 !  Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, §§3701 to 3797ee-1 !  Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, §§1961-1968 !  Federal Advisory Committee Act (p. 20), 5 U.S.C. App., §§1-16 !  War Powers Resolution, 50 U.S.C. Chapter 33, §§1541-1548. !  Privacy Act of 1974 (p. 20), 5 U.S.C. §552a !  Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. §§2511, 2518-9, !  Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, §§1801-1885c !  Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, §§2000aa-5 to 2000aa-12 !  Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. §1030 !  Computer Fraud and Abuse Act of 1986, 18 U.S.C. §1030 !  Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. §§2510- 2522, 2701-2712, 3121-3126 !  Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. §167 !  Computer Security Act of 1987, 15 U.S.C. §§272, 278g-3, 278g-4, 278h !  Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a !  High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81 !  Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. §1001 et seq. !  Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011 The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 8"
  • 9. Cybersecurity Law !  Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35, §§3501-3549 !  Telecommunications Act of 1996, 47 U.S.C. §609 !  Communications Decency Act of 1996 (p. 27), 47 U.S.C. §§223, 230 !  Clinger-Cohen Act (Information Technology Management Reform Act) of 1996) (p. 28), 40 U.S.C. §11001 et seq. !  Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d et seq. !  Economic Espionage Act of 1996, 18 U.S.C. §1030, Chapter 90, §§1831-1839 !  Identity Theft and Assumption Deterrence Act of 1998 (p. 29), 18 U.S.C. §1028 !  National Defense Authorization Act for Fiscal Year 200, 10 U.S.C. §2224 !  Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Chapter 94, §§6801-6827 !  USA PATRIOT Act of 2001, 18 U.S.C. §1 !  Sarbanes-Oxley Act of 2002, 15 U.S.C. §7262 !  Homeland Security Act of 2002 (HSA) (p. 30), 6 U.S.C. §§121-195c, 441-444, and 481-486 !  Federal Information Security Management Act of 2002 (FISMA) (p. 32), 44 U. S. C. Chapter 35, Subchapters II and III, 40 U.S.C. 11331, 15 U.S.C. 278g-3 & 4 !  Terrorism Risk Insurance Act of 2002 (p. 34), 15 U.S.C. §6701 nt. !  Cyber Security Research and Development Act, 2002 (p. 34), 15 U.S.C. §§278g, h, 7401 et seq. !  E-Government Act of 2002 (p. 36), 5 U.S.C. Chapter 37, 44 U.S.C. §3501 nt.., Chapter 35, Subchapter 2, and Chapter 36 !  Fair and Accurate Credit T ransactions Act of 2003, 15 U.S.C. §1601 !  Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, 15 U.S.C. Chapter 103, §§7701-7713, 18 U.S.C. 1037 !  Identity Theft Penalty Enhancement Act 2004 (p. 37), 18 U.S.C. §§1028, 1028A !  Intelligence Reform and Terrorism Prevention Act of 2004 (IRPTA) (p. 38), 42 U.S. C. §2000ee, 50 U.S.C. §403-1 et seq. , §403-3 et seq. , §404o et. seq. !  Energy Policy Act of 2005 (EPACT), 16 U.S.C. 824o !  Department of Homeland Security Appropriations Act, 2007, 6 U.S.C. §121 nt. !  Protect America Act of 2007, 50 U.S.C. §1801 nt. !  Energy Independence and Security Act of 2007 (EISA), 42 U.S.C. §§17381- 17385 !  Foreign Intelligence Surveillance Act of 1978 [FISA] Amendments Act of 2008, 50 U.S.C. §1801 !  Identity Theft Enforcement and Restitution Act of 2008, 18 U.S.C. §1030 !  Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. §17901 et seq. !  Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011 “…security is an art – and you cannot legislate art.” Comment by Deputy Assistant Director, US DOE The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 9"
  • 10. Do The Right Thing !  “Why don’t they just do the right thing?” –  Comment by House Homeland Security Committee staffer, 2009 !  Dozens of Congressional hearings !  Roughly 150 bills since 2009 !  Executive Order being considered !  No closer to defining what the “right thing” is The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 10"
  • 11. Compliance vs. Security The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 11"
  • 12. Compliance vs. Security !  “I had a nightmare last night. My entire security team had been converted to compliance staff!” –  Comment by former security manager for large U.S. investor owned utility !  Culture of compliance may not be a good thing !  Compliance can both help and hurt security !  There is a point where security and compliance meet – it isn’t always easy to find but it is the best approach toward spending/resourcing The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 12"
  • 13. Sector Spotlight !  Electric sector (SCADA) = new shiny object !  TV, movies, media, blogosphere, Twitter !  Armchair experts and hyperbole !  Other critical infrastructures, nation states !  Smart Grid fever will drive more attention !  The mania will intensify in the near term !  Very little actuarial data to form risk models The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 13"
  • 14. Resources Are Scarce !  Not enough qualified security pros available !  Very complex range of skills needed to match operational technologies, security tools and business (compliance) risk !  Active “cannibalization” of talent within sector !  Few qualified auditors and consultants !  Artificial demand in market increases costs The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 14"
  • 15. Vendor Relationships !  Most vendors put features first, security second !  ARRA and other “green/clean” dollars are fueling corporate consumerism !  You are being given old technology as new and new technology that hasn’t been tested !  Interoperability standards, SCADA Procurement Language, code reviews, etc !  100% secure does not and will not exist !  Security testing in FAT, and again in SAT !  Vulnerability disclosure ripple effect The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 15"
  • 16. Negative Perceptions !  Too many cases of lowering security to achieve strict compliance to NERC CIP standards – while possibly [potentially] reducing reliability !  Too few Critical Assets and Critical Cyber Assets !  CIPS is more about accountability than security !  Future changes to CIPS are slow and inadequate !  Virtually no change in over 6 years !  Industry is actively trying to minimize and stall !  CIP Version 5 has one more “round” - or else… The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 16"
  • 17. Regulation Will Get Muddy !  Accountability baseline still forming !  Consensus is not possible; ANSI flaws !  Region/NERC/FERC relationship is unstable !  Data breach laws are coming !  Overlapping regulations (SOX, PCI, CFATS, MTSA, Pipeline Safety, NRC…) !  Heavy politics attached to grid security !  Who’s got the cybersecurity authority today? The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 17"
  • 18. Recommendations !  Realize that you are a target; act accordingly !  Prepare for the spotlight and microscope !  Build a compliance program that can embrace any regulatory regime – even DHS (think TSA) !  CIPS is only the beginning, expect more !  Don’t wait for the next regulation to get started implementing controls The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 18"
  • 19. Recommendations !  Start with an evaluation of risk and capability !  Adopt a risk management framework !  Automate compliance from sound business process, but don’t under-resource –  Security technology requires humans !  Consider continuous monitoring approach !  Manage like other risks in portfolio !  Communication is key; customers, stakeholders The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 19"
  • 20. EnergySec Needs You !  Volunteer programs –  Tactical Analysis Center –  Best Practices Repository –  Community-driven efforts (Working Groups, task force, whitepapers, etc) !  Financial support –  NESCO must be sustained by industry –  TAC subscriptions –  Organizational or individual membership –  Donations/sponsorships The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 20"
  • 21. Break The Mold “You cannot solve a problem from the same consciousness that created it. You must learn to see the world anew.” - Albert Einstein The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 21"
  • 22. Questions Patrick C Miller President & CEO patrick.miller@energysec.org 503.272.1414) @patrickcmiller (twitter) www.energysec.org The$Na'onal$Electric$Sector$Cybersecurity$Organiza'on$(NESCO)$is$operated$by$EnergySec$ 9/26/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 22"