At the 2012 Technologies for Security and Compliance Summit, Patrick Miller provides an overview of various industry specific related cybersecurity topics focusing on information sharing.
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
EnergySec & NESCO Overview
1. EnergySec & National
Electric Cyber Security
Organization (NESCO)
Overview
2012 Technologies for Security and Compliance Summit
The Anfield Group
August 1-2 2012
Barton Creek Resort – Austin, TX
2. New, New Security Model
Nation State quality adversaries
Fear the auditor more than
attacker
Regulatory avalanche forecast
Constant compromise
Ecosystem of organizations
Information sharing is holy grail
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 2
3. Info-Share to the Rescue!
What does Information Sharing
really mean?
– Taking vs. Sharing
– Secrecy for secrecy’s sake
– Government doesn’t share well
(yet)
Very useful approach, but not a
panacea
Comes with trade-offs…
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 3
4. Information Sharing Reality
Some Pros… Some Cons…
What works, what Classification and
doesn’t handling, both Gov
Benchmarking and Corporations
Situational Lawyers,
awareness agreements and
Tactical threat and contracts
vulnerability analysis
Community-sourcing Consumers will
always outnumber
Regulatory sharers
compliance
Mentoring Trust; n parties
9/1/2012
Doesn’t scale well
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy 4
5. Who is EnergySec?
Unique, non-profit, independent, public-
private information sharing organization
Borne from Energy Sector
Bottom-up vs. top-down
TRUSTED
– By the industry, for the industry
– Non-profit 501(c)(3)
– Independent, private
– 10+ years of information sharing experience
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 5
6. EnergySec Background
10.2001: Precursor to E-Sec NW formed
7.2004: E-Sec NW formalized and “founded”
– Asset owner/operator ONLY; all volunteer
1.2008: SANS Information Sharing Award
12.2008: Incorporated E-Sec NW as
EnergySec
10.2009: 501(c)(3) nonprofit determination
4.2010: EnergySec applied for NESCO DOE
FOA
7.2010: EnergySec awarded NESCO FOA
10.2010: NESCO became operational
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 6
7. What EnergySec Is NOT…
Not a lobbyist
Not a vendor
Not a consultant
Not government agency
Not a regulator
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 7
8. EnergySec Staff
Extensive applied sector experience
– Many years employment at asset owners
– Operations, security, audit, Sr mgmt, OT, IT
– Regional Entity leadership
– Independent consulting; big firms and
boutiques
– Built several successful companies
– EnergySec founders, Info-sharing pioneers
– Certified, trusted, highly connected, dedicated
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 8
9. EnergySec Programs
NESCO: Information Sharing &
Best Practices
Advisory Service
EnergySec University
– Education/Workforce
Development
LIGHTS: Security in a box
(turnkey)
– Independent board
– Partnership with ICS-ISAC
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 9
10. EnergySec Nonprofit
Umbrella
EnergySec
NESCO Advisory University Other…
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 10
11. EnergySec Advisory
Customized agenda; facilitated discussion
Examine current and horizon energy
sector specific cyber security legislation
Explore methods to meet compliance
obligations and enhance security posture
Present threat, vulnerability and impact
landscape to executives and staff
Highest concentration of advisors with
unique and hard-to-find combination of
experience
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 11
12. EnergySec University
Professional/workforce development path
– Internal expertise as instructors
– Open faculty roster from best and brightest
– Courses in all IT/OT security-related
disciplines
Internship matchmaking – coming soon
Working closely with National Board of
Information Security Examiners (NBISE)
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 12
13. What Is NESCO?
R. 3183 “...the Secretary shall establish an
independent national energy sector cyber security
organization...”
– Department Of Energy issued FOA on March 31, 2010
Purpose is to “establish a National Electric Sector
Cyber Security Organization that has the knowledge,
capabilities, and experience to protect the electric
grid and enhance integration of smart grid
technologies that are adequately protected against
cyber attacks.”
“This organization will serve as a focal point to bring
together domestic and international experts,
developers, and users who will assess and test the
security of novel technology, architectures, and
applications.”
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 13
14. NESCO Objectives
Organize, lead and implement a public-private
partnership
Focus cybersecurity research and development
priorities
Identify and disseminate security best practices
Organize the collection, analysis and dissemination of
infrastructure vulnerabilities and threats
Work cooperatively with the DOE and other Federal
Agencies
Enhance cybersecurity of the bulk power grid and
electric infrastructure
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 14
15. Who Is NESCO?
• IOU • Product
• Muni • Service
• Coop
Asset Owners Vendor
Govt
Academia/Research
• Non-Reg • Public
• Regulatory • Private
• Fed, State…
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 15
16. Connect & Support
Utility
Asset
Owners
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 16
17. Membership Growth
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 17
18. Member Demographics
Membership by Individual Membership by Organization
Academic Academic
2% 5%
Vendor/Other
22% Vendor/Other
35%
Govt/Regulatory
12% Asset Owner
Asset Owner 49%
64% Govt/Regulatory
11%
1,050 Individual members 363 unique organizations
Predominately Asset Owner Driven Membership Base
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 18
19. Membership Overview
NESCO Members of Sept 30 2011 (1
year)
– 788 NESCO members
– 278 unique organizations
NESCO Members as of July 12 2012:
– 1050 individuals
– 363 unique organizations
Note: This represents a nearly 50% annual
growth rate
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 19
20. Social Media Outreach
NESCO mailing list: 3536
NESCO Twitter followers: 2635
NESCO LinkedIn group members: 535
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 20
21. Direct Outreach
3 Town Hall meetings
19 Voice of the Industry (VOI)
meetings
82 TAC notices; 149 follow up
threads
71 presentations/panels
94 event participation
37 blog mentions
43 interviews and article citations
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 21
22. Engage, Equip & Empower
Sharing requires trust
Trust is built on relationships
Our approach…
– Bringing people together
– Flexible technology options and
solutions to extend and enhance
relationships
– Organic growth; birds of a feather
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 22
23. NESCO Is Technology
Secure collaboration portal
– Wiki
– Working groups
– Discussion forums
– Email distribution lists
Rapid Notification System
Social Media
– LinkedIn, Twitter, Facebook
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 23
24. NESCO Tools
Email distribution lists
Secure collaboration wiki
Secure instant messaging
Rapid notification
mechanisms
Resource repository
Most technologies have non-
attribution (anonymous)
options
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 24
25. NESCO Resource Repository
Best/common practices
Policy, process, procedure
Compliance approaches
Document Templates
Code snippets, scripts
System configurations
Links to useful security sites
And more…
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 25
26. NESCO Tactical Analysis
Center
Supports ES-ISAC and ICS-CERT
Open & private source intelligence
Asset owner volunteer handler
SMEs with virtual “dashboards”
Rapid, community-sourced analysis
Secure communications
Rapid notification system
Daily diaries, trending
Quarterly & annual reports
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 26
27. ES-ISAC, ICS-CERT and TAC
An analogy… triage and long term care
Basic differences of the TAC
– Operated by an independent non-profit org
– Not associated with a federal regulatory agency
• DOE partner is non-regulatory
• Funding expires in 2014, only “seed” money provided
• Funding model involves cost-share, so industry bears
cost throughout entire effort
– Electric sector specific
– Provides feeds, when requested to NERC & DHS
&…
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 27
28. ES-ISAC, ICS-CERT and TAC
Basic differences of the TAC
– Covers all entities, not just Registered Entities
under the NERC Functional Model
• Not just Bulk Electric w/ CA and CCA
• Includes smart grid, distribution, QF generation
– NESCO staff work alongside industry handlers
– RNS has direct access to security staff
– Volunteer reporting structure, not mandatory
– Private position offers unique vendor
relationships
– Anonymized pass through for bi-directional
sharing The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 28
29. NESCO Products
Whitepapers
– DNS Exfiltration
– Security Logging Best Practices and
Capability Maturity Models
– Public Key Infrastructure, Automated Metering
Infrastructure and Industrial Control Systems
– DOE Electric Sector Cybersecurity Capability
Maturity Model (ES-C2M2) – coming soon!
– What else would you like to see?
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 29
30. NESCO Products
Rapid Notification System
– Night Dragon webcast
– Duqu webcast
– Multiple TAC notices
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 30
31. NESCO Success Stories
…is fantastic
that [DOE
produces] a
document that
deals with a
subject so
technical and
that it makes
available to
the public.
http://goo.gl/0xiWp
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 31
32. NESCO Success Stories
Spearphishing notices from asset owner
shared with DHS for action
– Result: DHS ICS-CERT advisory issued
Accounts from service contractor posted to
Internet reviewed for asset owner data
– Result: Direct contact warning to specific
parties
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy. 32
33. NESCO Success Stories
Exposed control systems posted on
Internet matched to asset owners
– Result: Direct contact warning to specific
parties
EnergySec spearphishing attempt
– Result: Cross-organization comparison with
general industry advisory; IOCs published
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 33
34. NESCO Success Stories
Industry and [some] Regional Entities
seeking to modify process for Technical
Feasibility Exceptions to maximize security
benefit
– Result: NESCO provided independent and
impartial discussion forum, webinar and
industry feedback loop for proposed change
to process
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 34
35. NESCO Success Stories
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 35
36. NESCO Funding Model
Department of Energy FOA
Cooperative agreement
Cost-share is ~40%, ramps
over life of 3.5 year “seed”
window
At end of seed
window, NESCO is fully
funded by industry
Supported by underwriters
and TAC subscriptions
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 36
37. NESCO Summary
Focused on building trust through
relationships to further security
collaboration and sharing
Flexible technology facilitates and
catalyzes information/resource sharing
efforts
Supports existing successful programs
Security voice of the electric sector
9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 37
38. Get Connected
EnergySec Summit: September 25-28
– NESCO Town Hall
– CISO Forum
– Policy and Technical Tracks
EnergySec University Courses
– NERC CIP Training: Las Vegas 10/25
– NERC CIP Training: Sacramento 12/4
– Cybersecurity for Operations: Nashville 11/7
NESCO Voice of the Industry (VOI)
Meetings
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 38
39. Get Connected
www.energysec.org
www.energysec.org/join
www.energysec.org/tac-subscription-
service
TAC@energysec.org
New NESCO website soon!
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 39
40. Questions?
Patrick C Miller
Principal Investigator, National Electric Sector Cybersecurity Organization
President & CEO, EnergySec
patrick.miller@energysec.org
503.446.1212 (desk)
@patrickcmiller (twitter)
www.energysec.org
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
9/1/2012
with funding assistance from the U.S. Department of Energy 40