The Expanding Web of Cybersecurity Requirements

239 views

Published on

Presented at the May 11, 2011 UTC Telecom conference, Patrick Miller delves into the expanding web of cybersecurity requirements.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
239
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Expanding Web of Cybersecurity Requirements

  1. 1. The Expanding Web ofCybersecurity Requirements Patrick C Miller, President and CEO May 11 2011 UTC TELECOM 2011
  2. 2. Abstract“…security is an art – and you cannot legislate art.” - Bill Bryan, Deputy Assistant Secretary of Infrastructure Security & Energy Restoration, US DOEThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 1
  3. 3. Levity, Sort OfSo there was this investor owned, self-insuredutility with a critical generation plant in a maritimeport with an onsite credit union and urgent carefacility who processed their own credit cardtransactions… (PCI, SOX, GLBA, MTSA, HIPAA,NERC CIP, CFATS, state PII)…and the transmission bus was in an adjacentfacility owned by a Federal Power MarketingAuthority… (add FISMA)The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 2
  4. 4. Cybersecurity Landscape• Security regulations favor new installations, legacy environments are still vulnerable – Bolt-ons increase complexity – Mixing legacy and bleeding edge tech is difficult• Isolation has diminishing security value• Engineering and Security are different• Logical distance between kinetic endpoint and HMI is exponentially increasing; “hyperembeddedness”• Nation-state quality defense is the new normThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 3
  5. 5. Smart Grid Standards• FERC/NERC/PUC lines are not clear• Some state commissions do not have expertise or sufficient staff to deal with the smart grid wave• Commissions and utilities are both moving forward, but inconsistently• Privacy and security will be significant issues• Suffering from standard fatigueThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 4
  6. 6. NERC CIP StandardsThe Bad News:• Often viewed as ceiling vs. floor• Little change in over a decade• Technical Feasibility ExceptionsThe Good News:• Formalized security as a real issue within industry• Known minimum bar• Fantastic growth potentialThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 5
  7. 7. Future Standards?• Cyber-boogeyman, cyber-FUD• Who’s got the cyber legislation pole position?• Threats move faster than legislation and regulation• Hackers don’t use a checklist• If you want legislation really bad, you will get really bad legislation; same for regulation – Converse = analysis paralysis; seek equilibrium• Good security wasn’t invented yesterdayThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 6
  8. 8. Future Standards?• Intelligent islanding?• Data breach disclosure?• Vendor/product responsibility?• Utility responsibility?• Federal presence?• Does self-regulation work?• Top down or bottom up – or both?The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 7
  9. 9. The Question• Long: How do we get simple, complementary and comprehensive cyber legislation for all interdependent critical infrastructures, based on solid actuarial risk data, to protect both the public and private sectors but doesn’t cause rates/costs to rise to unacceptable levels?• Short: Fast, inexpensive, good. Pick two.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 8
  10. 10. Questions? Non-profit. Independent. Trusted. Patrick C Miller, President and CEO patrick@energysec.org 503-446-1212The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 9

×