Energy Industry Organizational Strategies to Increase Cyber Resiliency


Published on

Presented by: Julie Soutuyo, Tennessee Valley Authority

Abstract: Over the past 40 years, the energy industry has evolved to a position of dependence upon information technology to accomplish its mission. Cyber attacks have become a “way of life”; as the Nation, industry, organizations, and individuals strive to operate safely and securely in cyberspace. Most rely on a compliance-based “whack-a-mole”; approach to cyber defense which presents multiple barriers to hackers, based on the last attack, with efforts to “hit” any that get inside the organization’s defenses. While still valid, this compliance-based approach has significant challenges: stopping intruders, mitigating the problems they create, and positioning an organization to achieve its mission under a cyber attack. Cyber experts across the Nation are increasingly turning to resiliency as a means for fighting through these attacks with the objective of meeting operational and mission requirements in spite of the attacks. This shift is driving organizations to rethink their organizational structures to achieve unity of effort and streamlined decision-making in the face of a fast paced set of operational demands. This presentation will highlight the strategies to promote a cyber resilient organization.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Energy Industry Organizational Strategies to Increase Cyber Resiliency

  1. 1. Julie  Soutuyo   Senior  Program  Manager   Tennessee  Valley  Authority   Improving  Organiza.onal   Resilience  to  an  Increasing  and   Evolving  Threat     EnergySec  9th  Annual  Security  Summit   September  18,  2013   Denver,  CO   Organiza.onal  Cyber  Resilience  
  2. 2. 2   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   Table  of  Contents   •  The  CEO’s  Challenge   •  Cybersecurity  in  Context   •  The  Cyber  Risk   •  Possible  Solu=ons   The  CEO’s  Challenge          Cybersecurity  in  Context            The  Cyber  Risk          Possible  Solu=ons    
  3. 3. 3   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   On  July  25th,  our  CEO  challenged  the  TVA  staff   to  improve  our  future  economic  posture   •  Doing  so  while  effec=vely  opera=ng  across  four  impera=ves:     –  Debt,   –  Rates,     –  Stewardship,  and     –  Asset  PorNolio     •  In  an  opera=ng  environment  focused  on     –  Trust,     –  Safety,  and     –  Change   •  And  a  significant  evolu=on  of  our  culture   •  His  message  was  clear…the  TVA  must  undertake  major   transforma=on     The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  4. 4. TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   The  company  is  undergoing  a   transforma.on  of  business  and  culture…   •  This  is  an  op=mal  =me  to  make  progress  on   communica=ng  the  benefits  of  becoming  more  cyber   resilient;   –  New  CEO   –  Economic  challenges   –  Changes  in  organiza=onal     structure  and  strategic     direc=on   –  Increased  focus  on     reducing  risk   –  An  appeal  to  all  employees  to  be  innova=ve  in  finding  solu=ons   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  5. 5. TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   The  challenge  is  that  “Cyber”  is  not  always   well  understood  by…   •  Cyber  security  is  seen  as   important  but  many   employees    don’t   understand  the  threat:   –  Cyber  terminology  is   confusing   –  Some  don’t  believe  the  threat   is  “real”       –  Many  feel  that  sensi=ve   networks  and  assets  are   sufficiently  isolated   –  “No  way!  I’m  not  shuZng   down  to  patch  anything!  My   1995  ICS  technology  (with  no   maintenance  agreement  in   place)  is  safe!!”         The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons   •  Execu=ves  are  o`en  in  the   same  “boat”:   –  Didn’t  we  fix  that  already?   –  NERC  CIP  must  be  addressing   my  requirements   –  Not  cri=cal  to  making   electricity   –  What  am  I  geZng  in  return   for  this  investment?   –  Who  else  is  experiencing  this?   Nobody  in  the  industry?  Why   am  I  spending  so  much????   “Uh, I think your Stuxnet ate my Poison Ivy and caused my Duqu to explode after a denial of service…..then the Aurora came after the Shamoon and finally, I just decided to go phishing with my kill chain…” Note:  Cyber  Terms  are  not  “common”  u.lity  jargon!  
  6. 6. 6   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   A  key  component  of  influencing  change  within   an  organiza.on’s  culture  is  to  tell  a  story….   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons   My story about how to become more cyber resilient starts with the network.... ...and ends with TVA in a much better cybersecurity posture by 2020; ready to face next generation cyber threats.
  7. 7. TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   Like  other,  TVA  has  many  different   networks  used  to  operate  the  company   •  Different  types  of  networks    across  the   corporate  and  power  environments  are  the   means  for  execu=ng  the  TVA  mission   –  Opera=ons  managed;  sensor  data  and     decisions  from  ICS   –  Safely  operate  and  maintain  power  plants  and   transmissions  systems   –  Buy  and  sell  power;  bill  customers;  receive   revenues   –  Communicate  internally  and  externally   –  Manage  environmental  requirements   •  These  same  networks  are    the  target  of  cyber   afacks  and  the  poten=al  means  for  afacking   TVA  Cri=cal  Assets  or  Business  Processes   •  The  afackers  are…   –  More  sophis=cated  and  effec=ve     –  With  the  poten=al  for  causing  serious   disrup=on  and  even  destruc=on  of  our   resources   –  Interested  in  achieving  various  objec=ves   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  8. 8. 8   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   Even  as  we  resolve  our  financial  challenges,   we  have  an  opportunity  to  drive  change…   •  Working  collec=vely  on  solu=ons  to  our  networked  security…     –  Across  func=onal  lines  that  have  common  ground   –  To  iden=fy  mutually  suppor=ve  solu=ons     –  Towards  becoming  opera=onally  resilient  to  cyber  afacks   –  And,  the  means  to  tackle  the  broader  financial  challenges   •  NOW  is  the  =me  for  developing  our  cybersecurity  resilience  to  protect  our   networked  resources  and  con=nue  to  fulfill  our  mission  requirements   –  Make  recommenda=ons  to  evolve  our  cyber  opera=ons  posture  from…   •  Compliance   •  To  becoming  agile   •  And  ul=mately  resilient   –  Which  will  allow  TVA  to  recognize     •  Enhanced  cybersecurity  safety   •  Building  trust  and  confidence  across  our  enterprise  and  with  our  customers   •  Avoid  catastrophic  costs  resul=ng  from  an  increasingly  likely  cyber  afack   •  While  embracing  change   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  9. 9. 9   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   1970s.    Introduc=on  of  1st   genera=on  “monolithic”   SCADA  systems   The  TVA  has  been  a  technology  leader   through  the  20th  Century   40s  –  expanded   hydropower   construc=on   60s  –  Introduc=on  of   nuclear  power  plants   50s  –  Largest  electricity   supplier   70s  –  80s  –  Focus  on   energy  conserva=on     90s  –  Increased   compe==on;  clean   air  focus   2000s  –  focus  on  energy,   environment,  and  economic   development   1933.  TVA  established  by  Congress   to  address  environmental,   economic,  and  technological   challenges  including  delivery  of   low-­‐cost  electricity   1969.  The  Internet   (ARPANET)  brought  on  line   1959.  Federal   appropria=ons  ended;   TVA  becomes  self-­‐ financing   Major  TVA  events   Major  Internet  events   1991.    World  Wide  Web  evolves   through  new  protocol,  hypertext   • Explosive  growth  of  the  internet   • Rise  of  social  networking  (e.g.,   Facebook,  Twifer)   • Exponen=al  growth  of  mobility   planorms     1982:  Internet  protocol   TCP/IP  standardized   1980s.  Growth  of  2nd  genera=on   “distributed”  SCADA  systems   1990s.    3rd  genera=on   “Networked”  SCADA  systems     Major  cyber  a_acks     2000.  DDOS  afack  across  commercial   web  sites  ($1.7B  in  damages)   2010.  Stuxnet  infected   Iranian  nuclear  facili=es   2009.  Merrick  Bank  lost  $16M  a`er  hackers   compromised  40M  credit  card  accounts   2003.  Slammer  worm  infected  90%  of  vulnerable   computers  within  10  min  ($1B  in  damage)   1999.  Federal  appropria=ons  for   environmental  stewardship  and   economic  development  ac=vi=es   ended   2012.  More  than  30,000  computers  at  Saudi   Aramco  (oil  company)  destroyed  by  virus   •  IT  revolu=onized  our  industry   –  Affected  every  element  of  power  genera=on  and  delivery   –  Almost  always  “bolted  on”  and  not  “built  in”   •  AND…introduced  significant  risk  from  cyber  afacks   –  With  Increased  frequency,  from  more     adversaries,  with  greater     sophis=ca=on,  against  more     targets,  with  increased     success,  …and  greater  impact   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  10. 10. 10   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   …and  technology  with  the  cyber  threat   has  introduced  risk  to  our  impera.ves     Change   Trust  Safety   Rates   •  Increases  costs  from:     o  Disrup=on  of  service  and  restora=on  requirements   o  Legal  fees  resul=ng  from  the`  or  destruc=on  of  data   •  Poten=al  loss  of  customers  (par=cularly  industrial   customers)   Debt   •  Immediate  impact  to  O&M  costs  to  restore  systems   damaged  or  destroyed  by  a  cyber  afack   o  Could  cause  TVA  to  exceed  its  debt  threshold     Stewardship   •  Loss  of  trust  and  credibility…   o  Customers  due  to  loss  of   privacy  data  or  service  outage   o  Government  due  to  na=onal   power  grid  impacts   •  Safety  …  placing  staff  in  harms   way  working  to  resolve  outages     •  Economic  and  environmental     impacts  resul=ng  from   destruc=on  of  major   environmentally  sensi=ve  TVA   components   Asset  PorNolio   •  Unstable  and/or  unreliable   cri=cal  asset  performance   •  Poten=al  damage,  destruc=on,   and  loss  of  assets     o  Both  short  and  long  term   The  Cyber  Threat  is     driving  unwanted     change  into  TVA     and  in  turn  is    eroding  our     trust  and     safety   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  11. 11. We  can  control  some  of  the  drivers  of  risk   and  some  we  can’t     External  Drivers     Those  we  can’t  control   •  Customers…those  whom  we  serve,  with  expecta=ons  for   –  Uninterrupted  service     –  Reasonably  priced  electricity     –  Protec=on  of  Personal  Iden=fica=on  Informa=on  and   privacy  expecta=ons   –  Environmental  stewardship   •  Government  (e.g.,  NERC)…Drive  oversight  &  regula=ons   –  Drives  cost  (e.g.,  changes  in  “bright  line,”  EPA  requirements)   –  Expects  industry  to  operate  systems  securely  and  safely   (e.g.,  nuclear  facili=es  operate  in  a  virtually  ‘zero  defect   environment”)   •  Industry…Both  Partners/Compe=tors   –  Jointly  managing  the  Na=on’s  power  grid   •  Vendors…suppor=ng  TVA     –  Drive  change  with  updates  and  new  capabili=es     •  Threat  Actors  (e.g.,  hac.vists,  criminals,  Na.on  States)   –  Focused  on  embarrassment,  exploita=on,  the`,  disrup=on,   and  destruc=on   –  Capable  of  taking  over  Industrial  Control  Systems  (ICS)  and   corporate  networks;  shuZng  them  down;  crea=ng   significant  risk  to  TVA  staff  and  customers  (loss  of  service;   restora=on  risks,  etc.)   Internal  Drivers     Those  we  can  control     •  TVA  Organiza=on     –  Decentralized,  =ered,  &  distributed   •  Staff   –  The  guardians  of  TVA  culture   –  Both  driving  and  resis=ng  change   •  Culture   –  Accountability   •  Technology   –  Constantly  increasing  the  pace  of  change  with   technology  refresh,  updates,  patches,  etc.     •  Aged  Infrastructure   –  Some  is  80  years  old…does  not  always  adapt   easily   –  Cybersecurity  technology  solu=ons  generally   bolted  on  vice  built  in   •  Funding  and  Budgets   –  Bounded  (as  our  CEO  reminded  us)   –  Debt  ceiling  is  almost  gone     Can  Impact  our  Costs   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  12. 12. 12   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   This  isn’t  to  suggest  that  only  bad  things   evolve  from  this  challenging  period  of  change   •  Large  scale  change  presents  an  opportunity  to  examine  our  approach  to  cybersecurity     •  Increase  trust  in  our  systems   –  Enhance  our  cybersecurity  posture   –  Revisit  how  we  fund     •  How  much  are  we  inves=ng  now   •  Percentage  of  our  network  coverage   •  Known  risks  in  different  opera=ng  environments  that  have  not  been  addressed  (e.g.,  corporate,  nuclear,  fossil,  etc.)   •  Which  investments  would  create  the  maximum  value  (near,  mid,  and  long  term)  impact   –  Examine  cybersecurity  across  func=onal  elements  (e.g.,  IT,  Opera=ons,  and  Supply/Logis=cs)  to   collec=vely  develop  ideas  and  op=ons  to  befer  secure  our  networks   •  Ul=mately,  cybersecurity  is  about  risk…and  money   –  How  much  cybersecurity  risk  are  we  willing  to  accept   –  At  what  cost     •  To  make  changes   •  To  avoid  poten=al  catastrophic  costs   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons   We  are  not  alone  in  this  struggle…the  en6re  industry  is  challenged  
  13. 13. 13   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   The  CEO’s  challenge  is  an  opportunity  to…   Define  the  cybersecurity  risks  we  face…     …and  the  implica6ons  for  how  we  secure   our  networks   Consider  the  evolving  cyber  environment…   …and  the  poten6al  implica6ons  for  our   future  opera6ons   Jointly  iden.fy  some  possible  solu.ons…     …and  what  other  op6ons  we  might   consider   Expand  our  approach  to  cybersecurity…       …and  consider  cross  organiza6onal,   mul6-­‐func6onal  solu6ons   Redefine  our  understanding  of  networks…     …and  protect  them  as  vital  to  execu6ng   our  mission   Examine  the  costs  of  doing  so…     …and  the  poten6al  costs  of  not   Assess  the  .ming  of  making  changes…     …in  the  near,  mid,  or  long  term   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  14. 14. Today,  the  government’s  cybersecurity  response   focuses  on  regula.ons  &  standards   The  Government  Response   •  NERC  CIP  has  issued  28  documents   detailing  Reliability  Standards   –  Set  standards  for  repor=ng,  cyber  asset   iden=fica=on,  system  categoriza=on,   security  management  controls,  personnel   and  training  standards,  management   (electronic,  physical,  and  systems  security   management),  configura=on  management,   informa=on  protec=on   –  Each  includes  requirements  and  measures;   for  example…   •  CIP-­‐001-­‐2a  has  4  requirements  and  4   measures   •  CIP-­‐002-­‐3  has  4  requirements  with  5  sub-­‐ requirements  and  7  sub-­‐sub  requirements,   and  4  measures   …  And  Industry  Complies   •  Developed  large  IT  organiza=onal   structures  to  meet  requirements   •  Expended  significant  resources  to  protect   systems  and  networks   •  Has  not  been  as  likely  to  adopt   recommenda=ons  (vice  requirements)       •  In  fact…compliance,  all  too  oAen  is  the   founda6on  and  primary  means  for   mi6ga6ng  risk  …              “If  I  comply,  I’m  protected”   Standards,  requirements,  alerts,  repor6ng  and  compliance  serve  an  important   func6on  for  fulfilling  organiza6onal  objec6ves  opera6ng  in  cyberspace   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  15. 15. 15   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   But,  compliance  alone  is  risky  and  the  nature  of   the  energy  industry  poses  addi.onal  challenges   Opera.onal   Organiza.onal   Resourcing   Focus   Compliance-based defense (e.g., NERC CIP and NIST guidelines) Leadership and technical staff from corporate headquarters to distributors are independent Primarily on O&M (vice capital expenditures) to meet regulatory requirements   Challenges   Complex situational awareness; discerning source of disruption or destruction between routine failures vice cyber attacks Need to integrate across diverse operational platforms to establish an operational framework and increase employee awareness Increased costs •  Operating and maintaining multiple IT solutions and architectures •  Executing compliance requirements across multiple organizational elements •  Capital IT expenditures are accomplished independently; plants, vendors, distributors adopt different solutions that frequently aren’t interoperable or require expensive interfaces •  Missed opportunities to gain efficiencies and savings through consolidated, organization-wide negotiations with vendors (vendors often drive solutions) Limited response actions: •  Frequently “after the event” •  Reluctance to shut systems down Organiza=on-­‐wide  solu=ons  to   cyber  afacks  difficult  and  costly   due  to  loose  federa=on  of  IT   infrastructures,  complex  and   different  network  environments,   requiring  specialized  solu=ons   Slowed response waiting for developed, tested, deployed, and approved solutions Result   Increased potential for success of cyber attacks with resulting energy disruption, loss of data and corresponding legal and financial impacts The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  16. 16. 16   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   Those  challenges  affect  our  ability  to  respond   quickly…and  in  cyberspace  it’s  all  about  speed   “Time  is  Money”  was  never  more  true…and  it’s  not  just  one  cyber  aKack…it’s   hundreds…thousands  and  they  aren’t  going  to  stop…  because  it  works   Discovery   Detec=on   Response   Recovery   • Time  between   discovery  of  a  zero   day  vulnerability  and   the  development,   tes=ng,  deployment,   and  implementa=on   of  a  solu=on   • Time  between  a   successful  breach  of   a  network/system   and  discovery  by   the  organiza=on   • Time  to  develop,   test,  deploy,  and   implement  solu=ons   • Time  to  restore   network/systems  to   full  opera=onal   capabili=es   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons  
  17. 17. 17   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   …and  cyberspace  is  not  gehng  any     slower  or  safer   •  Cyber  afacks  are  increasing  every  day   –  Across  the  Na=on   –  Our  industry   –  …and  against  TVA   •  Using  a  wide  variety  of  methodologies   –  “Phishing”  …  social  engineering  of  email   –  Malware  …  plan=ng  tools  and  so`ware   in  our  networks   –  Denial  of  Service  …  denying  us  and  our   customers  access  to  our  networks     –  Ransomware  …  hijacking  computers   forcing  payment  for  release   •  And  it’s  not  going  to  get  any  befer  for   the  foreseeable  future   –  …because  it  works   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons   •  DHS  reported  198  afacks  on  cri=cal  U.S.   infrastructure  in  2012…up  from  9  in  2009   •  In  2012  ,  ICS-­‐CERT  tracked  171  unique   vulnerabili=es  affec=ng  ICS  products  across   55  vendors   •  The  TVA  experienced  an  almost  30%   increase  in  afacks  year  over  year   •  Over  the  last  quarter,  DELL  SecureWorks  has   escalated  269  incidents  beyond  the  SOC  
  18. 18. 18   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   Given  “Time  is  Money”…we  must…   •  Be  more  than  compliant…compliance  ac6vi6es  are  “table  stakes”   •  Be  faster…   –  Iden=fy  vulnerabili=es  faster  across  the  enterprise   –  Iden=fy  afacks  faster   –  Work  the  development,  tes=ng,  and  deployment  of     solu=ons  faster   –  Make  decisions  faster   –  Restore  networks  and  systems  faster   •  Be  more  agile  by  crea=ng  response  op:ons  vice  just  “stopping  the  pain”   •  Systema=cally  build  a  plan  towards  becoming  resilient,  able  to  meet  mission   requirements  by  “figh=ng  through”  cyber  afacks   •  We  need  a  paradigm  shi`  in  our  approach  beyond  compliance  to  become  agile   and  ul=mately  resilient     Time/Speed   Money   Cost  of  a  Cyber  Afack   $$$   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu=ons   The  average  cost  of  a  breach  is  about  $188  per  stolen   record,  and  the  average  loss  per  incident  is  $9.4  million   Ponemon  Ins=tute  
  19. 19. 19   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   A  journey  towards  resilience  can  be   Compliant     •  Con=nue  to  meet   requirements   •  Expand  to  execu=ng   NERC/NIST   recommenda=ons   •  Develop  op=ons  for   becoming  more  agile   and  make  plans  to   become  resilient   •  Evolve  the  TVA   culture  to  embrace   cybersecurity  safety   Agile       •  Harden  network  infrastructure   and  develop  op=ons  and   alterna=ves  to  become  more   robust  to  withstanding  cyber   afacks   •  Develop  architectures  and   acquisi=on  strategies  that  will   serve  as  the  founda=on  for   becoming  resilient   •  1-­‐3  year  =me  frame  to  develop   and  deploy  in  stages       Resilient     •  Build  security  in  to  our   infrastructure   •  Execute  a  plan  and   suppor=ng  architectures  and   acquisi=on  strategy   •  Withstand,  mi=gate,  and   defeat  cyber  afacks  with   planned,  rehearsed,   responses  that  ensure   mission  execu=on   •  3-­‐7  years  synchronized  with   other  programs  and   opera=ons  across  TVA   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu.ons   3-­‐7  Years  1-­‐3  Years  Today  
  20. 20. 20   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   Resiliency  is  a  complex  set  of  that  must  be   programmed  into  our  “opera.onal  DNA”  and  be…   …Planned   …Prac.ced   …Unified   …  and  Resourced   •  Execute  compliance  based   requirements…as  well  as   recommenda=ons   •  Develop  IT/Cyber  architecture   integrated  with  other  u=lity   disciplines  for  next  genera=on   systems   •  With  corresponding  and   suppor=ng  policy  implementa=ons   •  And  suppor=ng  acquisi.on   strategies  for  the  “long  haul”   •  Interdependencies  must  be   understood  and  documented     •  Services,  data  storage,  system   cri=cality  must  be  documented  in   advance  to  program  response   ac=ons  in  a  =mely  manner     •  Cyber  resiliency  must  be   prac=ced   •  Leaders  and  technical  staff   trained  and  exercised  in   roles  and  responsibili=es   •  Immediate  ac=on  drills   must  be  documented  and   rehearsed     Across  large,  diverse,   decentralized   organiza=ons  (e.g.,  TVA)   requires:   •  Coordinated  and   integrated  architectures   •  Standardize  with   “controlled  diversity”  of   approved  tools,   equipment  and  vendors   •  Comprehensive   situa=onal  awareness   across  all  components   •  Consolidated  and   centralized  decision  –   making…there’s  no  =me   for  debate   •  Acquisi.on  strategy  that   addresses  resiliency   requirements   •  Supports  security   architectures   •  Maximize  IT/cyber  resources   and  interoperability  through   vendor  strategies   •  Redundant  (backup)   resources  must  be  iden=fied   and  if  necessary  resourced     We  may  not  simply  declare  we  are  resilient;     rather  it  requires  a  set  of  comprehensive  reforms  organiza:onally  to  evolve  itself.   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu.ons  
  21. 21. 21   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   We’ve  proposed  some  “ideas”  as  a  start  point   for  op.ons  leading  to  resilience  that  are…   •  By  no  means  comprehensive     –  But  intended  to  get  the  discussion  started     •  Grouped  by   –  Network  and  Security  Capabili=es   –  Engineering   –  Organiza=onal   –  Supply  Chain   –  Enterprise  Risk  Management   •  Characterized  along  spectrums  of…   –  Costs  (low,  moderate,  and  high)   –  Time  (near,  mid,  and  long)   •  Opportuni=es  for  the  TVA  staff   –  To  embrace  and  drive  essen=al  change  across  our  organiza=on   –  Build  trust  in  an  environment  of  shared  cybersecurity  safety   –  To  leverage  the  unique  cross  func=onal  quali=es  of  IT/Cyber       The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu.ons  
  22. 22. TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged    Network  and  Security   •  Embed  TVA-­‐wide  IT/Cyber  situa.onal   awareness  within  exis=ng  TVA  opera=ons   center(s)  with  complete  performance   view  of  corporate  and  power  WAN  and   LAN  networks   –  Provide  100%  situa=onal  awareness  of  ALL  TVA   (transmission,  IT,  nuclear,  etc.)   –  Efficiencies  and  cost  savings   –  High  Cost  –  Long  Term     •  Enhanced  Incident  Response   across  the  en=re  enterprise   –  Enhance  Unity  of  Effort  and  decrease  response   =mes   –  Low  Cost  –  Near  Term   •  Evaluate  cybersecurity  effec.veness  of   network  carriers  and  embed   corresponding  requirements  in  contracts   –  Create  op=ons  to  increase  robust  network   capabili=es  and  capacity   –  Low  Cost  –  Mid  Term   •  Work  with  vendors  to  ensure   cybersecurity  is  built  in  to  their  products   including  situa.onal  awareness   –  Moderate  Cost  –  Long  Term   •  Examine  op.ons  for  establishing  the   means  for  Vendor  products  and   our  own  (e.g.,  incorporated  network   firewalls,  wireless  encryp=on  and  DMZ’s   as  the  primary  maintenance  and   diagnos=c  hub  for  plant  )   –  Require  Vendor  cer=fica=on  through  the  facility     –  Moderate  cost  –  Mid  Term   •  Con.nue  to  expand  and  build  on  current   government  rela.onships  at  the  network   level  and  through  policies  and  procedures   –  Low  Cost  –  Near  Term     The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu.ons  
  23. 23. …and…   Engineering   •  Embed  cybersecurity  technology  in  all   Engineering  ini.a.ves  and  architectures  (all   forms,  civil,  mechanical,  power,  IT)    as  a   requirement  for  program  approval   –  Require  resiliency  strategies  in  opera=onal  and   acquisi=on  reviews  and  escalate  the  concept  into   the  strategic  plan   –  Cultural  shi`   –  Low  cost  –  Near  Term   •  Build  an  IT/cyber  architecture  that  captures  the   ideas,  op=ons,  and  plans  for  securing  the   network  to  serve  as  the  founda=on  of  our  cyber   resiliency   –  Low  Cost  –  Mid  Term   •  Improve  and  invest  in  data  reten.on  and  back-­‐ up  strategies  across  TVA  (corporate  IT  and   plant)  to  enable  recovery  when  needed   –  Moderate  Costs  –  Mid  Term   Organiza.onal   •  Inextricably  bind  security  and  safety  e.g.  “If  it’s   not  secure,  it’s  not  safe”   –  Culture  shi`…safely  opera=ng  network,  individual   computers,  etc.   –  Low  Cost  –  Near  Term   •  Promote  cybersecurity  safety  across  the  TVA   (e.g.,  staff,  customers,  vendors,  etc.)   –  For  smart  grid,  demand  response,  financial,  and   other  inter-­‐connec=ons   –  Low  Cost  –  Near  Term   •  A_ract  and  recruit  technology  companies  into   Tennessee  Valley  who  build  programmable   components  and  thereby  enhance  the  defense   industrial  base  security  and  that  of  u=li=es/ cri=cal  infrastructure   –  Manufacturers  become  customers   –  Low  Cost  –  Long  Term   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu.ons  
  24. 24. …and…   Supply  Chain   •  Perform  a  source  of  supply  analysis  on   programmable  logic  components  (relays,  switches,   routers,  etc.)  to  determine  country  of  origin;   conduct  cost-­‐benefit  analysis  for  replacing  PLCs   per  risk  analysis   –  Low  Cost  –  Near  Term   •  Increase  security  specifica.ons  on  all  acquisi=ons   –  Low  Cost  –  Near  Term   •  Reward  vendors  and  partners  who  exhibit   excep.onal  security  performance   –  Contractual  requirements,  measures,  and   rewards  for  securely  maintaining  vendor   supplied  technologies   –  Create  vendor  guidelines  for  security   standards  through  contracts   –  Low  Cost  –  Near,  Mid,  and  Long  Term   (contract  dependent)   •  Use  pre-­‐ve_ed  Government  contract  vehicles  to   acquire  security  services  when  possible   –  Low  Cost  –  Near  Term   Enterprise  Risk  Management   •  Raise  cyber  risk  awareness     –  Understand  the  impact  of  cyber  threats  to  all   current  TVA  Risks   –  Low  Cost  –  Near  Term   •  Adjust  Enterprise  Risk  Management  (ERM)  to   more  fully  address  financial  implica=ons  of  the   risks  and  impacts  of  cyber  afacks   –  Low  Cost  –  Near  Term   •  Expand  opera.onal  risk  view  to  “look  outside   the  fence”  and  ensure  communica=ons  and   collabora=on  are  occurring  with  en==es   external  and  internal  to  TVA   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu.ons  
  25. 25. 25   TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   We  won’t  get  there  overnight     …  but  we  need  to  start  now     Acquisi=on  strategy  drawn  from  a  comprehensive  architecture  to  balance  capital  with  O&M  expenditures   Consolidate  IT  Architecture  to  guide  IT  and  cyber  decisions     Vendor/Supplier  DMZ  established  elimina=ng  remotely  managed  systems   Mission  Cri=cal  Environment  for  management  of  most  important   data  and  systems   “Smart  Grid”  deployment   Unified  cyber  incidence  response  strategy   Ideas  –  Op=ons  –  Plan   Embed  IT/Cyber  situa=onal   awareness  capabili=es  in  opera=ons     Create  so`ware,  hardware  tes=ng  capability  including  wireless  &  mobility   Publish  Vendor  Security  requirements   2013  -­‐  Compliant   (meet  requirements)   2016  -­‐  Agile     (have  op=ons)   2020  –  Resilient   (cybersecurity  built  in)   The  Threat   Build/Expand  cyber  intelligence  sources   Perform  source  supply  analysis  of  cri=cal  cyber  components   Afract/recruit  technology  companies  to  the  valley   Our  goal  must  be   to  close  this  gap   The  CEO’s  Challenge          Cybersecurity  in  Context          The  Cyber  Risk          Possible  Solu.ons   In the 20th Century TVA built an incredible economic engine for the Nation and benefited immeasurably from advances in technology; In the 21st Century we must now transform how we employ that technology to protect our mission
  26. 26. TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   So  here  is  the  bo_om  line   •  We  face  serious  financial  challenges     •  Over  the  past  50  years,  advances  in  technology   made  significant  contribu=ons  to  achieving  the  TVA   mission   –  Today,  virtually  everything  we  do,  depends  on   the  network   –  That  reliance  has  introduced  significant   business  risk  …  and  the  cyber  threat  is   growing   •  Our  approach  to  cybersecurity  has  been   par=ally  compliance  based…but  we  are   making  cuZng  edge  investments  to  develop   a  broader  capability  and  have  been  lauded   by  mul=ple  agencies  for  our  dynamic   approach   •  We  s=ll  need  a  paradigm  shi`  across  the   agency   –  Con=nue  to  be  fully  compliant   –  Increase  response  op=ons  to  become   resilient;  focused  on  con=nuing  the  mission     –  Engineer  cybersecurity  standards  in  the   system  design  process  and  a  suppor=ng   cyber/IT  acquisi=on  strategy     •  We’ve  captured  ideas  from  across  the  TVA   …  we  need  to  examine  them  and  iden=fy   more     •  And  as  we  do  so…  fulfill  our  CEO’s   challenge   •  And  the  broader  set  of  benefits  we  may   derive  are  compelling   –  Serve  as  an  industry  leader  for  how  to   integrate  cybersecurity  and  energy/power   –  Leverage  the  collec=ve  efforts  to  evolve   our  culture     –  Exercise  cross  func=onal  ini=a=ves  in   developing  workable  op=ons     –  Enhance  both  trust  and  safety  through  the   process     There  will  be  costs…but  the  cost  of   doing  nothing  could  be  staggering  
  27. 27. TVA  Restricted  Informa=on  –  Delibera=ve  and  Pre-­‐Decisional  Privileged   Tennessee  Valley  Authority   Julie  Soutuyo   Senior  Program  Manager   Email:   Phone:  (703)  862-­‐0819   Discussion,  Ques.ons,  and  Feedback   Discussion,  Ques=ons  &  Feedback