Cybersecurity for Energy: Moving Beyond Compliance


Published on

Presented by: Gib Sorebo, SAIC

Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cybersecurity for Energy: Moving Beyond Compliance

  1. 1. NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY © SAIC. All rights reserved. Cybersecurity for Energy: Moving Beyond Compliance
  2. 2. © SAIC. All rights reserved. The Threats Keep Coming…. 2 •  1998: Telephone switch hack closes an airport •  2000: Gazprom central control is hacked •  2000: Australian hacker causes environmental harm by releasing sewage •  2001: Hackers protesting U.S./China conflict enter U.S. electric power systems •  2003: Power outages in northeastern United States occur •  2003: Worm shuts systems down at Davis-Besse nuclear plant •  2006: Zotob virus shuts down Holden car manufacturing plant (Australia) •  2007: Aurora demonstration shows damage a remote hacker can cause physical harm to a generator •  2008: Intruder installed malware causing damage to Sacramento River diverter •  2010: Stuxnet discovered •  2012: Saudi Aramco targeted by Shamoon virus wiping out 30,000 hard drives
  3. 3. © SAIC. All rights reserved. ….And Our Defenses Struggle to Keep Up Threat Briefing: Escalating Security Threats 3 •  Attackers prefer lower-tech attack methods if they work •  Attacks are tailored to the defenses they need to breach •  As defenses improve, attacks will escalate to breach them, then step back down •  Improve defenses in one area and attackers move to other areas that are weaker Attacks Defenses Phishing Spear Phishing Published Vulnerabilities: (Browser, App, OS) Web Attacks: (SQL Inject; Cross-Site Script) Credential Harvesting & Abuse: (Keylogger, Pass-the-Hash) 2 factor Compromise: (Session hijack, OTP capture, Cert theft) Break Weak Crypto / Password Zero Day: (Browser, App, OS) Driver / BIOS / Hardware: (Vulnerability, Zero-Day) Hypervisor Breach: (Vulnerability, Zero-Day) Break Strong Cryptography Firewall Anti-Virus Patching Network IDS Host Firewall, Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) Network Segmentation Physical Isolation Hardened operating system Data Protection / Encryption Secure Coding Access Control App Whitelisting App Hardening High Assurance hardware 2-Factor Authentication Log Consolidation In-Memory Malware Detection Increasing Difficulty APT Hackers Hacktivists Viruses Network Breach: (Firewall, Switch, Router) BIOS = Binary Input Output System APT = Advanced Persistent Threat OS = Operating System OTP = One-time Password Cert = Certificate
  4. 4. © SAIC. All rights reserved. Cybersecurity is Becoming a Board-level Issue Reuters, October 13, 2011 National Association of Corporate Directors
  5. 5. © SAIC. All rights reserved. Turning Cybersecurity Risk Into a Business Risk •  Nuisance Example: Isolated malware infections –  Typically occur at rate of 6% of computers per year –  One oil company estimated cost at $4000 per machine (including productivity losses) 5 •  Slightly Less of a Nuisance: Customer Data Breach Losses –  Ponemon Institute estimated at $194 per record (most of cost is future lost business) –  TJX saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems had 130 million credit card numbers breached in 2009 –  For most customer data breaches, however, the relevant costs are minor as harms are hard to prove and the reputational damage is short-lived •  For utilities, greatest threats through cybersecurity attack are on ability to operate –  Maintaining stability of transmission and distribution grids (preventing widespread outages) –  Keeping hard to replace equipment from being damaged or destroyed (Aurora) –  Protecting human lives (fires, electrocutions, explosions, radiation) –  Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access to bank accounts to pay suppliers) –  Ability to generate and coordinate (independent system operator functions, automated generation control)
  6. 6. © SAIC. All rights reserved. What About These “Cyber” Risks? “Examples of true incidents that have been labelled cyber security breaches are as follows: –  a mis-sent email (a strategy document sent to a competitor); –  commercial papers lost on a train; –  a former employee that was not legally prevented from taking bid information to a competitor; –  a laptop left on a plane with passwords attached; and careless use of social media giving away IPR, –  and more frequently, because it's cheaper, the use of social engineering ("new best friends" who buy you drinks all night at the bar, fascinated by your company).” Andrew Fitzmaurice, The Guardian, July 25, 2013 6
  7. 7. © SAIC. All rights reserved. Organizing Around Business Risk •  The Banking Experience (Basel II/III) –  Organizes risk around categories that can be measured and contribute to organization’s overall risk posture that influence capital requirements 7 Influence on Capital Requirements Market Risk Credit Risk Liquidity Risk Operational Risk Operational Risk Components Legal Human Resources Physical Security/ Facilities Procurement IT (Performance, Security, Capacity) IT – Information Technology
  8. 8. © SAIC. All rights reserved. Business Risk for Utilities 8 •  Align by function/business area –  Harder to tie in financial metrics that benefit from lower risk (bond ratings?) Utility Business Risks T&D Reliability Energy Trading Key Equipment Protection Human Safety Operational Risk Operational Risk Cash Flow Compliance Human Resources Facilities IT (Performance, Security, Capacity) T&D – Transmission & Distribution IT- Information Technology
  9. 9. © SAIC. All rights reserved. Governance Model 9 •  Who does cybersecurity organization report to? –  In many, it’s the Chief Information Officer –  Can reporting reach executive and board level stakeholders? –  Do policies regularly get the backing of the CEO? •  Budget –  Is the cybersecurity budget tied to major initiatives (transmission expansion, safety initiatives, new substations)? –  Is there a relationship between cybersecurity risk and other major risks? •  As new meters, sensors, and relays are added, is cybersecurity risk adjusted along with its budget? •  Are improvements in grid reliability correlated with improvement in cybersecurity? –  Are cybersecurity budget line items evaluated for how they help reduce major business risks or even other operational risks?
  10. 10. © SAIC. All rights reserved. Moving from a Tactical to Risk Management Mindset 10 •  What gets reported? –  Malware infections vs. business disruptions –  Data breaches/lost laptops vs. value at risk –  Attacks blocked vs. threats averted •  How are resources allocated for cybersecurity? Tactical •  Firewall management •  Log management •  Authentication •  Endpoint security •  Server security Risk Management •  T&D grid stability •  Customer data protection •  Energy trading integrity •  Key asset protection •  Health and safety T&D – Transmission & Distribution
  11. 11. © SAIC. All rights reserved. From Resistance to Resiliency and Recovery 11 •  Do you know what your response will be if… –  You cannot trust the data coming from your substations –  Customer billing data has been corrupted –  Hackers have brought down your Energy Management System, and you’re not sure if all malware has been removed –  A smart meter firmware update that was just applied contains malicious code that shuts off power and then ceases communication? •  Most utilities run disaster recovery and business continuity drills but usually focus on natural events and not malicious and sentient actors •  While prevention and detection are necessary, successful programs assume response and recovery will be required and plan accordingly
  12. 12. © SAIC. All rights reserved. Where to Start 12 •  How can you tell how good a job you are doing? –  Mapping to business risks helps to speak to the board but day to day challenges still require a comprehensive approach –  Frameworks can help if used in the context of business risk •  NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443* •  Need maturity models and means of comparison with peers Electricity Subsector Cybersecurity Capability Maturity Model US Department of Energy Maturity Indicator Levels (MIL): MIL1: Initiated MIL2: Performed MIL3: Managed *See last slide for acronyms
  13. 13. © SAIC. All rights reserved. Managing IT Security Capabilities 13 # Functional Area Architect Design Deploy Support Retire Maintain Operate 1 Security Infrastructure Management X X X X X X X 2 Network Admin & Security X X X X X X X 3 Application Security X X X X X X X 4 Endpoint & Server Security X X X X X X X 5 Cryptography & Data Protection X X X X X X X 6 Identity Management & Authentication X X X X X X X 7 Asset Management & Supply Chain X X X X X X X 8 Monitoring & Vulnerability Management X X X X X X X 9 Incident Response X X X X X X X 10 Policy & Audit & E-Discovery & Training X X X X X X X •  Need to apply controls from a lifecycle and functional perspective such as Integrated Strategy & Architecture, Integrated Operations, and Engineering services in each of Ten Functional Areas as indicated below. Strategy & Architecture OperationsEngineering
  14. 14. © SAIC. All rights reserved. Along with Some Control System Considerations 14 Bridging the Information Technology (IT) / Operations Technology (OT) divide will be critical to successful program as the threats hit IT first, but the biggest impact is felt on the OT side.
  15. 15. © SAIC. All rights reserved. Integrating the Data 15 •  Frameworks operate at 10,000 feet, threats at ground level –  Need automated mechanisms to report current state –  In government, we often use the term “continuous monitoring;” commercially it’s often “enterprise vulnerability management” –  Also need to ensure mandated controls stay current with threats Operations/Engineering Physical Security IT-Telecom/Cybersecurity Roles- based Correlation
  16. 16. © SAIC. All rights reserved. Putting It All Together 16 Strategy & Risk Management –  Assessing and Reporting –  Mapping security controls to acceptable risk posture –  Making sure cybersecurity risks are associated with business risks Security Operations –  Monitoring systems and networks for attacks –  Continuously monitoring for vulnerabilities and policy violations –  Aggressively seeking out threat intelligence –  Responding to incidents and assisting with the recovery Security Engineering –  Researching new protection techniques –  Designing, deploying, and supporting new security tools and technologies –  Aligning security tools, techniques, and technologies with organization’s culture and business drivers Governance & Oversight
  17. 17. © SAIC. All rights reserved. Budgets: How Much Security is Enough? 17 •  The industry norms –  Cybersecurity budgets in all industries tend to range from 3 to 10% of information technology budget –  For utilities, that number is closer to 3-5% –  IT budgets vary considerably by industry given different ways revenue is generated –  For many, 2-5% of revenue is typical for an IT budget –  For energy companies, operations technology (such as control systems) may be additional •  Criteria for additional expenditures –  Regulatory compliance (as much as 50% of security budget) –  Requirements to meet business continuity objectives –  Desire to meet industry best practices (such as encryption of all removable storage) –  Changing threat landscape –  Easily exploitable vulnerabilities –  Achieving acceptable risk posture (most subjective & hardest to substantiate)
  18. 18. © SAIC. All rights reserved. Example: Incorporating New Threats 18 •  Stuxnet –  Highly targeted and advanced attack on an Iranian nuclear power plant –  Included several “zero day” exploits (malicious software targeting vulnerabilities that had not been publicly known –  Likely introduced into “air-gapped” environment through flash drive Updating security policy and related controls Removable Media Practices “Out of band” monitoring Application Whitelisting Obtain buy-in from senior management Tie changes to key business objectives (such as key asset protection) Update budget Update policies & train employees Deploy software Integrate technology
  19. 19. © SAIC. All rights reserved. 19 In Summary Keys for Successful Security Program Compliance Through Lower Risk Crossing Organization Boundaries A Strategic Approach Future Aware Holistic Security Approach
  20. 20. Discussion For more information contact: Gib Sorebo SAIC Vice President /Chief Cybersecurity Technologist phone: 703-676-2605 | email:
  21. 21. © SAIC. All rights reserved. Acronyms 21 NERC – North American Electric Reliability Corporation CIP – Critical Infrastructure Protection NIST SP – National Institute for Standards and Technology Special Publication ISO – International Standards Organization IEC – International Electrotechnical Commission