SlideShare a Scribd company logo
1 of 21
Download to read offline
NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY
© SAIC. All rights reserved.
Cybersecurity for Energy: Moving Beyond Compliance
SAIC.com
© SAIC. All rights reserved.
The Threats Keep Coming….
2
•  1998: Telephone switch hack closes an airport
•  2000: Gazprom central control is hacked
•  2000: Australian hacker causes environmental harm by releasing sewage
•  2001: Hackers protesting U.S./China conflict enter U.S. electric power systems
•  2003: Power outages in northeastern United States occur
•  2003: Worm shuts systems down at Davis-Besse nuclear plant
•  2006: Zotob virus shuts down Holden car manufacturing plant (Australia)
•  2007: Aurora demonstration shows damage a remote hacker can cause physical
harm to a generator
•  2008: Intruder installed malware causing damage to Sacramento River diverter
•  2010: Stuxnet discovered
•  2012: Saudi Aramco targeted by Shamoon virus wiping out 30,000 hard drives
SAIC.com
© SAIC. All rights reserved.
….And Our Defenses Struggle to Keep Up
Threat Briefing: Escalating Security Threats
3
•  Attackers prefer lower-tech attack methods if they work
•  Attacks are tailored to the defenses they need to breach
•  As defenses improve, attacks will escalate to breach them, then step back down
•  Improve defenses in one area and attackers move to other areas that are weaker
Attacks
Defenses
Phishing
Spear Phishing
Published Vulnerabilities:
(Browser, App, OS)
Web Attacks:
(SQL Inject; Cross-Site Script)
Credential Harvesting & Abuse:
(Keylogger, Pass-the-Hash)
2 factor Compromise:
(Session hijack, OTP capture, Cert theft)
Break Weak Crypto / Password
Zero Day:
(Browser, App, OS)
Driver / BIOS / Hardware:
(Vulnerability, Zero-Day)
Hypervisor Breach:
(Vulnerability, Zero-Day)
Break Strong Cryptography
Firewall
Anti-Virus
Patching
Network IDS
Host Firewall, Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
Network Segmentation
Physical Isolation
Hardened operating system
Data Protection / Encryption
Secure Coding
Access Control
App Whitelisting
App Hardening
High Assurance hardware
2-Factor Authentication
Log Consolidation
In-Memory Malware Detection
Increasing Difficulty
APT
Hackers
Hacktivists
Viruses
Network Breach:
(Firewall, Switch, Router)
BIOS = Binary Input
Output System
APT = Advanced Persistent
Threat
OS = Operating System
OTP = One-time Password
Cert = Certificate
SAIC.com
© SAIC. All rights reserved.
Cybersecurity is Becoming a Board-level Issue
Reuters, October 13, 2011
National Association of Corporate Directors
SAIC.com
© SAIC. All rights reserved.
Turning Cybersecurity Risk Into a Business Risk
•  Nuisance Example: Isolated malware infections
–  Typically occur at rate of 6% of computers per year
–  One oil company estimated cost at $4000 per machine (including productivity losses)
5
•  Slightly Less of a Nuisance: Customer Data Breach Losses
–  Ponemon Institute estimated at $194 per record (most of cost is future lost business)
–  TJX saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems had
130 million credit card numbers breached in 2009
–  For most customer data breaches, however, the relevant costs are minor as harms are hard to prove and
the reputational damage is short-lived
•  For utilities, greatest threats through cybersecurity attack are on ability to operate
–  Maintaining stability of transmission and distribution grids (preventing widespread outages)
–  Keeping hard to replace equipment from being damaged or destroyed (Aurora)
–  Protecting human lives (fires, electrocutions, explosions, radiation)
–  Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access to
bank accounts to pay suppliers)
–  Ability to generate and coordinate (independent system operator functions, automated generation
control)
SAIC.com
© SAIC. All rights reserved.
What About These “Cyber” Risks?
“Examples of true incidents that have been labelled cyber security breaches are as follows:
–  a mis-sent email (a strategy document sent to a competitor);
–  commercial papers lost on a train;
–  a former employee that was not legally prevented from taking bid information to a
competitor;
–  a laptop left on a plane with passwords attached; and careless use of social media giving
away IPR,
–  and more frequently, because it's cheaper, the use of social engineering ("new best
friends" who buy you drinks all night at the bar, fascinated by your company).”
Andrew Fitzmaurice, The Guardian, July 25, 2013
http://www.guardian.co.uk/media-network/media-network-blog/2013/jul/25/cyber-security-board-level-information-technology
6
SAIC.com
© SAIC. All rights reserved.
Organizing Around Business Risk
•  The Banking Experience (Basel II/III)
–  Organizes risk around categories that can be measured and contribute to organization’s
overall risk posture that influence capital requirements
7
Influence on Capital
Requirements Market
Risk
Credit Risk
Liquidity
Risk
Operational
Risk
Operational Risk
Components
Legal
Human Resources
Physical Security/
Facilities
Procurement
IT (Performance,
Security,
Capacity)
IT – Information Technology
SAIC.com
© SAIC. All rights reserved.
Business Risk for Utilities
8
•  Align by function/business area
–  Harder to tie in financial metrics that benefit from lower risk (bond ratings?)
Utility Business Risks T&D Reliability
Energy Trading
Key Equipment
Protection
Human Safety
Operational Risk
Operational Risk Cash Flow
Compliance
Human Resources
Facilities
IT (Performance,
Security,
Capacity)
T&D – Transmission & Distribution
IT- Information Technology
SAIC.com
© SAIC. All rights reserved.
Governance Model
9
•  Who does cybersecurity organization report to?
–  In many, it’s the Chief Information Officer
–  Can reporting reach executive and board level stakeholders?
–  Do policies regularly get the backing of the CEO?
•  Budget
–  Is the cybersecurity budget tied to major initiatives (transmission expansion,
safety initiatives, new substations)?
–  Is there a relationship between cybersecurity risk and other major risks?
•  As new meters, sensors, and relays are added, is cybersecurity risk adjusted along
with its budget?
•  Are improvements in grid reliability correlated with improvement in cybersecurity?
–  Are cybersecurity budget line items evaluated for how they help reduce major
business risks or even other operational risks?
SAIC.com
© SAIC. All rights reserved.
Moving from a Tactical to Risk Management
Mindset
10
•  What gets reported?
–  Malware infections vs. business disruptions
–  Data breaches/lost laptops vs. value at risk
–  Attacks blocked vs. threats averted
•  How are resources allocated for cybersecurity?
Tactical
•  Firewall management
•  Log management
•  Authentication
•  Endpoint security
•  Server security
Risk Management
•  T&D grid stability
•  Customer data protection
•  Energy trading integrity
•  Key asset protection
•  Health and safety
T&D – Transmission & Distribution
SAIC.com
© SAIC. All rights reserved.
From Resistance to Resiliency and Recovery
11
•  Do you know what your response will be if…
–  You cannot trust the data coming from your substations
–  Customer billing data has been corrupted
–  Hackers have brought down your Energy Management System, and you’re not
sure if all malware has been removed
–  A smart meter firmware update that was just applied contains malicious code
that shuts off power and then ceases communication?
•  Most utilities run disaster recovery and business continuity drills but
usually focus on natural events and not malicious and sentient actors
•  While prevention and detection are necessary, successful programs
assume response and recovery will be required and plan accordingly
SAIC.com
© SAIC. All rights reserved.
Where to Start
12
•  How can you tell how good a job you are doing?
–  Mapping to business risks helps to speak to the board but day to day challenges
still require a comprehensive approach
–  Frameworks can help if used in the context of business risk
•  NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443*
•  Need maturity models and means of comparison with peers
Electricity
Subsector
Cybersecurity
Capability
Maturity
Model
US Department of
Energy
Maturity
Indicator Levels
(MIL):
MIL1: Initiated
MIL2: Performed
MIL3: Managed
*See last slide for acronyms
SAIC.com
© SAIC. All rights reserved.
Managing IT Security Capabilities
13
# Functional Area Architect Design Deploy Support Retire Maintain Operate
1
Security Infrastructure
Management
X X X X X X X
2 Network Admin & Security X X X X X X X
3 Application Security X X X X X X X
4 Endpoint & Server Security X X X X X X X
5
Cryptography &
Data Protection
X X X X X X X
6
Identity Management &
Authentication
X X X X X X X
7
Asset Management & Supply
Chain
X X X X X X X
8
Monitoring & Vulnerability
Management
X X X X X X X
9 Incident Response X X X X X X X
10
Policy & Audit & E-Discovery
& Training
X X X X X X X
•  Need to apply controls from a lifecycle and functional perspective such as Integrated Strategy &
Architecture, Integrated Operations, and Engineering services in each of Ten Functional Areas as
indicated below.
Strategy & Architecture OperationsEngineering
SAIC.com
© SAIC. All rights reserved.
Along with Some Control System Considerations
14
Bridging the Information Technology (IT) / Operations Technology (OT) divide will
be critical to successful program as the threats hit IT first, but the biggest impact
is felt on the OT side.
SAIC.com
© SAIC. All rights reserved.
Integrating the Data
15
•  Frameworks operate at 10,000 feet, threats at ground level
–  Need automated mechanisms to report current state
–  In government, we often use the term “continuous monitoring;” commercially it’s
often “enterprise vulnerability management”
–  Also need to ensure mandated controls stay current with threats
Operations/Engineering
Physical Security
IT-Telecom/Cybersecurity
Roles-
based
Correlation
SAIC.com
© SAIC. All rights reserved.
Putting It All Together
16
Strategy & Risk Management
–  Assessing and Reporting
–  Mapping security controls to
acceptable risk posture
–  Making sure cybersecurity risks are
associated with business risks
Security Operations
–  Monitoring systems and networks for
attacks
–  Continuously monitoring for
vulnerabilities and policy violations
–  Aggressively seeking out threat
intelligence
–  Responding to incidents and
assisting with the recovery
Security Engineering
–  Researching new protection techniques
–  Designing, deploying, and supporting new
security tools and technologies
–  Aligning security tools, techniques, and
technologies with organization’s culture
and business drivers
Governance
& Oversight
SAIC.com
© SAIC. All rights reserved.
Budgets: How Much Security is Enough?
17
•  The industry norms
–  Cybersecurity budgets in all industries tend to range from 3 to 10% of information
technology budget
–  For utilities, that number is closer to 3-5%
–  IT budgets vary considerably by industry given different ways revenue is generated
–  For many, 2-5% of revenue is typical for an IT budget
–  For energy companies, operations technology (such as control systems) may be
additional
•  Criteria for additional expenditures
–  Regulatory compliance (as much as 50% of security budget)
–  Requirements to meet business continuity objectives
–  Desire to meet industry best practices (such as encryption of all removable storage)
–  Changing threat landscape
–  Easily exploitable vulnerabilities
–  Achieving acceptable risk posture (most subjective & hardest to substantiate)
SAIC.com
© SAIC. All rights reserved.
Example: Incorporating New Threats
18
•  Stuxnet
–  Highly targeted and advanced attack on an Iranian nuclear power plant
–  Included several “zero day” exploits (malicious software targeting vulnerabilities
that had not been publicly known
–  Likely introduced into “air-gapped” environment through flash drive
Updating security policy and related controls
Removable Media
Practices
“Out of band”
monitoring
Application
Whitelisting
Obtain buy-in from senior
management
Tie changes to key
business objectives (such
as key asset protection)
Update budget
Update policies &
train employees
Deploy software
Integrate
technology
SAIC.com
© SAIC. All rights reserved.
19
In Summary
Keys for
Successful
Security
Program
Compliance
Through
Lower Risk
Crossing
Organization
Boundaries
A Strategic
Approach
Future Aware
Holistic
Security
Approach
Discussion
For more information contact:
Gib Sorebo
SAIC Vice President /Chief Cybersecurity Technologist
phone: 703-676-2605 | email: sorebog@saic.com
SAIC.com
© SAIC. All rights reserved.
Acronyms
21
NERC – North American Electric Reliability Corporation
CIP – Critical Infrastructure Protection
NIST SP – National Institute for Standards and Technology Special Publication
ISO – International Standards Organization
IEC – International Electrotechnical Commission

More Related Content

What's hot

New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye, Inc.
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforceRodrigo Varas
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 

What's hot (20)

New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integration
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 

Viewers also liked

Implement cobit in your organization
Implement cobit in your organizationImplement cobit in your organization
Implement cobit in your organizationCheikh Hamallah DJIBA
 
Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Vyom Labs
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalEmilio Gratton
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsEnergySec
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...energybiographies
 
Come See What’s Cooking in My Lab
Come See What’s Cooking in My LabCome See What’s Cooking in My Lab
Come See What’s Cooking in My LabEnergySec
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research reportenergybiographies
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration EnergySec
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS EnvironmentsEnergySec
 
iDialoghi - ICT Security Consulting
iDialoghi - ICT Security ConsultingiDialoghi - ICT Security Consulting
iDialoghi - ICT Security ConsultingiDIALOGHI
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterEnergySec
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response TeamEnergySec
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersEnergySec
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
IT4IT - itSMFUK v4 (3)
IT4IT - itSMFUK v4 (3)IT4IT - itSMFUK v4 (3)
IT4IT - itSMFUK v4 (3)Tony Price
 
Energy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice changeEnergy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice changeenergybiographies
 

Viewers also liked (20)

Implement cobit in your organization
Implement cobit in your organizationImplement cobit in your organization
Implement cobit in your organization
 
Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposal
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
 
Come See What’s Cooking in My Lab
Come See What’s Cooking in My LabCome See What’s Cooking in My Lab
Come See What’s Cooking in My Lab
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research report
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
 
iDialoghi - ICT Security Consulting
iDialoghi - ICT Security ConsultingiDialoghi - ICT Security Consulting
iDialoghi - ICT Security Consulting
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart Meter
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response Team
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
IT4IT - itSMFUK v4 (3)
IT4IT - itSMFUK v4 (3)IT4IT - itSMFUK v4 (3)
IT4IT - itSMFUK v4 (3)
 
Energy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice changeEnergy biographies: narrative genres, lifecourse transitions and practice change
Energy biographies: narrative genres, lifecourse transitions and practice change
 
The grit in the oyster:
The grit in the oyster: The grit in the oyster:
The grit in the oyster:
 

Similar to Cybersecurity for Energy: Moving Beyond Compliance

Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance EnergyTech2015
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?360mnbsu
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security EssentialsSkoda Minotti
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.pptssusera76ea9
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems  - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems  - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015Paul F. Roberts
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 

Similar to Cybersecurity for Energy: Moving Beyond Compliance (20)

Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security Essentials
 
Cost effective cyber security
Cost effective cyber securityCost effective cyber security
Cost effective cyber security
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
Cyber liaility insurance the basics
Cyber liaility insurance   the basicsCyber liaility insurance   the basics
Cyber liaility insurance the basics
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloud
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.ppt
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems  - Boston SECoT MeetUp 2015John Walsh, Sypris on Cyber Physical Systems  - Boston SECoT MeetUp 2015
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 

More from EnergySec

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueEnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
 

More from EnergySec (20)

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 

Recently uploaded

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Recently uploaded (20)

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

Cybersecurity for Energy: Moving Beyond Compliance

  • 1. NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY © SAIC. All rights reserved. Cybersecurity for Energy: Moving Beyond Compliance
  • 2. SAIC.com © SAIC. All rights reserved. The Threats Keep Coming…. 2 •  1998: Telephone switch hack closes an airport •  2000: Gazprom central control is hacked •  2000: Australian hacker causes environmental harm by releasing sewage •  2001: Hackers protesting U.S./China conflict enter U.S. electric power systems •  2003: Power outages in northeastern United States occur •  2003: Worm shuts systems down at Davis-Besse nuclear plant •  2006: Zotob virus shuts down Holden car manufacturing plant (Australia) •  2007: Aurora demonstration shows damage a remote hacker can cause physical harm to a generator •  2008: Intruder installed malware causing damage to Sacramento River diverter •  2010: Stuxnet discovered •  2012: Saudi Aramco targeted by Shamoon virus wiping out 30,000 hard drives
  • 3. SAIC.com © SAIC. All rights reserved. ….And Our Defenses Struggle to Keep Up Threat Briefing: Escalating Security Threats 3 •  Attackers prefer lower-tech attack methods if they work •  Attacks are tailored to the defenses they need to breach •  As defenses improve, attacks will escalate to breach them, then step back down •  Improve defenses in one area and attackers move to other areas that are weaker Attacks Defenses Phishing Spear Phishing Published Vulnerabilities: (Browser, App, OS) Web Attacks: (SQL Inject; Cross-Site Script) Credential Harvesting & Abuse: (Keylogger, Pass-the-Hash) 2 factor Compromise: (Session hijack, OTP capture, Cert theft) Break Weak Crypto / Password Zero Day: (Browser, App, OS) Driver / BIOS / Hardware: (Vulnerability, Zero-Day) Hypervisor Breach: (Vulnerability, Zero-Day) Break Strong Cryptography Firewall Anti-Virus Patching Network IDS Host Firewall, Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) Network Segmentation Physical Isolation Hardened operating system Data Protection / Encryption Secure Coding Access Control App Whitelisting App Hardening High Assurance hardware 2-Factor Authentication Log Consolidation In-Memory Malware Detection Increasing Difficulty APT Hackers Hacktivists Viruses Network Breach: (Firewall, Switch, Router) BIOS = Binary Input Output System APT = Advanced Persistent Threat OS = Operating System OTP = One-time Password Cert = Certificate
  • 4. SAIC.com © SAIC. All rights reserved. Cybersecurity is Becoming a Board-level Issue Reuters, October 13, 2011 National Association of Corporate Directors
  • 5. SAIC.com © SAIC. All rights reserved. Turning Cybersecurity Risk Into a Business Risk •  Nuisance Example: Isolated malware infections –  Typically occur at rate of 6% of computers per year –  One oil company estimated cost at $4000 per machine (including productivity losses) 5 •  Slightly Less of a Nuisance: Customer Data Breach Losses –  Ponemon Institute estimated at $194 per record (most of cost is future lost business) –  TJX saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems had 130 million credit card numbers breached in 2009 –  For most customer data breaches, however, the relevant costs are minor as harms are hard to prove and the reputational damage is short-lived •  For utilities, greatest threats through cybersecurity attack are on ability to operate –  Maintaining stability of transmission and distribution grids (preventing widespread outages) –  Keeping hard to replace equipment from being damaged or destroyed (Aurora) –  Protecting human lives (fires, electrocutions, explosions, radiation) –  Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access to bank accounts to pay suppliers) –  Ability to generate and coordinate (independent system operator functions, automated generation control)
  • 6. SAIC.com © SAIC. All rights reserved. What About These “Cyber” Risks? “Examples of true incidents that have been labelled cyber security breaches are as follows: –  a mis-sent email (a strategy document sent to a competitor); –  commercial papers lost on a train; –  a former employee that was not legally prevented from taking bid information to a competitor; –  a laptop left on a plane with passwords attached; and careless use of social media giving away IPR, –  and more frequently, because it's cheaper, the use of social engineering ("new best friends" who buy you drinks all night at the bar, fascinated by your company).” Andrew Fitzmaurice, The Guardian, July 25, 2013 http://www.guardian.co.uk/media-network/media-network-blog/2013/jul/25/cyber-security-board-level-information-technology 6
  • 7. SAIC.com © SAIC. All rights reserved. Organizing Around Business Risk •  The Banking Experience (Basel II/III) –  Organizes risk around categories that can be measured and contribute to organization’s overall risk posture that influence capital requirements 7 Influence on Capital Requirements Market Risk Credit Risk Liquidity Risk Operational Risk Operational Risk Components Legal Human Resources Physical Security/ Facilities Procurement IT (Performance, Security, Capacity) IT – Information Technology
  • 8. SAIC.com © SAIC. All rights reserved. Business Risk for Utilities 8 •  Align by function/business area –  Harder to tie in financial metrics that benefit from lower risk (bond ratings?) Utility Business Risks T&D Reliability Energy Trading Key Equipment Protection Human Safety Operational Risk Operational Risk Cash Flow Compliance Human Resources Facilities IT (Performance, Security, Capacity) T&D – Transmission & Distribution IT- Information Technology
  • 9. SAIC.com © SAIC. All rights reserved. Governance Model 9 •  Who does cybersecurity organization report to? –  In many, it’s the Chief Information Officer –  Can reporting reach executive and board level stakeholders? –  Do policies regularly get the backing of the CEO? •  Budget –  Is the cybersecurity budget tied to major initiatives (transmission expansion, safety initiatives, new substations)? –  Is there a relationship between cybersecurity risk and other major risks? •  As new meters, sensors, and relays are added, is cybersecurity risk adjusted along with its budget? •  Are improvements in grid reliability correlated with improvement in cybersecurity? –  Are cybersecurity budget line items evaluated for how they help reduce major business risks or even other operational risks?
  • 10. SAIC.com © SAIC. All rights reserved. Moving from a Tactical to Risk Management Mindset 10 •  What gets reported? –  Malware infections vs. business disruptions –  Data breaches/lost laptops vs. value at risk –  Attacks blocked vs. threats averted •  How are resources allocated for cybersecurity? Tactical •  Firewall management •  Log management •  Authentication •  Endpoint security •  Server security Risk Management •  T&D grid stability •  Customer data protection •  Energy trading integrity •  Key asset protection •  Health and safety T&D – Transmission & Distribution
  • 11. SAIC.com © SAIC. All rights reserved. From Resistance to Resiliency and Recovery 11 •  Do you know what your response will be if… –  You cannot trust the data coming from your substations –  Customer billing data has been corrupted –  Hackers have brought down your Energy Management System, and you’re not sure if all malware has been removed –  A smart meter firmware update that was just applied contains malicious code that shuts off power and then ceases communication? •  Most utilities run disaster recovery and business continuity drills but usually focus on natural events and not malicious and sentient actors •  While prevention and detection are necessary, successful programs assume response and recovery will be required and plan accordingly
  • 12. SAIC.com © SAIC. All rights reserved. Where to Start 12 •  How can you tell how good a job you are doing? –  Mapping to business risks helps to speak to the board but day to day challenges still require a comprehensive approach –  Frameworks can help if used in the context of business risk •  NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443* •  Need maturity models and means of comparison with peers Electricity Subsector Cybersecurity Capability Maturity Model US Department of Energy Maturity Indicator Levels (MIL): MIL1: Initiated MIL2: Performed MIL3: Managed *See last slide for acronyms
  • 13. SAIC.com © SAIC. All rights reserved. Managing IT Security Capabilities 13 # Functional Area Architect Design Deploy Support Retire Maintain Operate 1 Security Infrastructure Management X X X X X X X 2 Network Admin & Security X X X X X X X 3 Application Security X X X X X X X 4 Endpoint & Server Security X X X X X X X 5 Cryptography & Data Protection X X X X X X X 6 Identity Management & Authentication X X X X X X X 7 Asset Management & Supply Chain X X X X X X X 8 Monitoring & Vulnerability Management X X X X X X X 9 Incident Response X X X X X X X 10 Policy & Audit & E-Discovery & Training X X X X X X X •  Need to apply controls from a lifecycle and functional perspective such as Integrated Strategy & Architecture, Integrated Operations, and Engineering services in each of Ten Functional Areas as indicated below. Strategy & Architecture OperationsEngineering
  • 14. SAIC.com © SAIC. All rights reserved. Along with Some Control System Considerations 14 Bridging the Information Technology (IT) / Operations Technology (OT) divide will be critical to successful program as the threats hit IT first, but the biggest impact is felt on the OT side.
  • 15. SAIC.com © SAIC. All rights reserved. Integrating the Data 15 •  Frameworks operate at 10,000 feet, threats at ground level –  Need automated mechanisms to report current state –  In government, we often use the term “continuous monitoring;” commercially it’s often “enterprise vulnerability management” –  Also need to ensure mandated controls stay current with threats Operations/Engineering Physical Security IT-Telecom/Cybersecurity Roles- based Correlation
  • 16. SAIC.com © SAIC. All rights reserved. Putting It All Together 16 Strategy & Risk Management –  Assessing and Reporting –  Mapping security controls to acceptable risk posture –  Making sure cybersecurity risks are associated with business risks Security Operations –  Monitoring systems and networks for attacks –  Continuously monitoring for vulnerabilities and policy violations –  Aggressively seeking out threat intelligence –  Responding to incidents and assisting with the recovery Security Engineering –  Researching new protection techniques –  Designing, deploying, and supporting new security tools and technologies –  Aligning security tools, techniques, and technologies with organization’s culture and business drivers Governance & Oversight
  • 17. SAIC.com © SAIC. All rights reserved. Budgets: How Much Security is Enough? 17 •  The industry norms –  Cybersecurity budgets in all industries tend to range from 3 to 10% of information technology budget –  For utilities, that number is closer to 3-5% –  IT budgets vary considerably by industry given different ways revenue is generated –  For many, 2-5% of revenue is typical for an IT budget –  For energy companies, operations technology (such as control systems) may be additional •  Criteria for additional expenditures –  Regulatory compliance (as much as 50% of security budget) –  Requirements to meet business continuity objectives –  Desire to meet industry best practices (such as encryption of all removable storage) –  Changing threat landscape –  Easily exploitable vulnerabilities –  Achieving acceptable risk posture (most subjective & hardest to substantiate)
  • 18. SAIC.com © SAIC. All rights reserved. Example: Incorporating New Threats 18 •  Stuxnet –  Highly targeted and advanced attack on an Iranian nuclear power plant –  Included several “zero day” exploits (malicious software targeting vulnerabilities that had not been publicly known –  Likely introduced into “air-gapped” environment through flash drive Updating security policy and related controls Removable Media Practices “Out of band” monitoring Application Whitelisting Obtain buy-in from senior management Tie changes to key business objectives (such as key asset protection) Update budget Update policies & train employees Deploy software Integrate technology
  • 19. SAIC.com © SAIC. All rights reserved. 19 In Summary Keys for Successful Security Program Compliance Through Lower Risk Crossing Organization Boundaries A Strategic Approach Future Aware Holistic Security Approach
  • 20. Discussion For more information contact: Gib Sorebo SAIC Vice President /Chief Cybersecurity Technologist phone: 703-676-2605 | email: sorebog@saic.com
  • 21. SAIC.com © SAIC. All rights reserved. Acronyms 21 NERC – North American Electric Reliability Corporation CIP – Critical Infrastructure Protection NIST SP – National Institute for Standards and Technology Special Publication ISO – International Standards Organization IEC – International Electrotechnical Commission