• Save
Security From the Ground Up
Upcoming SlideShare
Loading in...5
×
 

Security From the Ground Up

on

  • 383 views

 

Statistics

Views

Total Views
383
Views on SlideShare
382
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.us-nesco.org 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security From the Ground Up Security From the Ground Up Presentation Transcript

    • SecurityFrom the Ground Up Steven Parker May 3 2011 ICSJWG Spring Conference
    • Thesis• Because top down approaches have proven insufficient, and in some cases detrimental, to advancing the security posture of critical infrastructure, bottom up efforts are needed that engage practitioners, equip them with tools and resources, and empower them to take action.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 2
    • Thesis (Tweetable version)• Security depends more on people than policy. #icsjwg #nescoThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 3
    • Me & My Org• My name is Steve• I work for EnergySec• EnergySec is currently working exclusively on a DOE funded project to establish the National Electric Sector Cyber Security Organization (NESCO)The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 4
    • One of My FailuresThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 5
    • Things I Know a LittleThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 6
    • Things I Know a Little Less• Industrial Control Systems• EMS/DCS• Protective relays• Communications equipment• SCADAThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 7
    • History• 7/2004: EnergySec founded as E-Sec NW• 1/2008: SANS Information Sharing Award• 12/2008: Incorporated as EnergySec• 10/2009: 501(c)(3) nonprofit determination• 4/2010: EnergySec applied for National Electric Sector Cybersecurity Organization (NESCO) FOA• 7/2010: NESCO grant award from DOE• 10/2010: NESCO became operationalThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 8
    • What Is The NESCO?The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 9
    • What NESCO Isn’tThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 10
    • Tweetable Quote #1• The collective smarts of industry peeps is orders of magnitude > any 1 person or org #icsjwg #nesco• The collective intelligence and wisdom of industry practitioners is orders of magnitude larger than any one person or organization.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 11
    • What’s Wrong with Top Down?• “Increasing use of corporate resources for regulation compliance activities reduces the resources available for security enhancements.”• “For example, as a result of the NERC CIP standards, some utilities shifted to less efficient technologies because the cost to comply was greater than the cost to use an older technology. Others spent resources on compliance that were originally intended for additional cybersecurity measures.”• ---• http://www.controlsystemsroadmap.net/pdfs/2011_roadmap_draft.pdfThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 12
    • What’s Wrong with Top Down?• “Organizations have made PCI DSS and compliance in general the basis of their information security policies. Theyre basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all."• "There are really bad people out there doing bad things and few pay attention to things like state-sponsored attacks and cyber warfare. This is because everyones focusing on compliance,"• http://www.csoonline.com/article/506635/analyst-pci-security-a-devil-like-no-child-left-behind-• Josh Corman Nov 4, 2009The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 13
    • Tweetable Quote #2• Regs r like Socialism; Proponents blame failure on poor implementation, not inherent flaws #icsjwg #nesco• Regulation is like Socialism; Proponents blame its failure on poor implementation rather than its inherent flawsThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 14
    • A Tale of Two ESPs• “The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter.”The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 15
    • Tweetable Quote #3• We can prescribe action, but not attitude, and attitude is the secret sauce of security #icsjwg #nescoThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 16
    • A Ground Up Approach• Engage• Equip• EmpowerThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 17
    • Engage• NESCO outreach programs – Annual Summit (October 2011, San Diego) – Town Hall Meetings (August, Seattle area) – Voice Of The Industry Meetings (everywhere) – Interest Groups (Workforce Development, Forensics, etc) – Webinars, Briefings – Portal/Forums – Email distribution lists – Social mediaThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 18
    • Equip• ROS³ES - Repository of Open Source Security Solutions for the Energy Sector – Program supporting the use and development of open, industry specific security solutions• NESCO Academy – Cybersecurity education and workforce development• Share – Case studies, good practices, tactical awareness, etcThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 19
    • Empower• “Im slowly becoming a convert to the principle that you cant motivate people to do things, you can only demotivate them. The primary job of the manager is not to empower but to remove obstacles.”• -Scott Adams, creator of DilbertThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 20
    • Tweetable Quote #4• The secret to securing CIKR is finding the right people and getting out of their way #icsjwg #nesco• The secret to securing critical infrastructure is to identify the people with the requisite knowledge and skills, and then get out of their way.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 21
    • The Physics of Organizations Inertia • Inertia is the resistance of any physical object to a change in its state of motion or rest, or the tendency of an object to resist any change in its motion. It is proportional to an objects mass. • Even positive and needed change is hardThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 22
    • The Physics of Organizations Momentum • Momentum is the product of the mass and velocity of an object. Like velocity, momentum is a vector quantity, possessing a direction as well as a magnitude. • Action in the wrong direction can be worse than no action at allThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 23
    • The Physics of Organizations Gravity • The force that attracts a body toward the center of the earth • The incessant pull of mediocrity.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 24
    • The Power to Change• a force is any influence that causes a free body to undergo a change in speed, a change in direction, or a change in shape.• In the context of organizations and institutions, force comes from people.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 25
    • You CAN Make a Difference• "Never doubt that a small group of thoughtful, committed people can change the world.  Indeed, its the only thing that ever has."  -Margaret MeadThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 26
    • The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 27