The document discusses the implementation of CIP-014 from an auditor's perspective, including an overview of the requirements for conducting risk assessments of transmission stations and developing security plans, and tips for entities in complying with the standard within the required timeframe of less than one year. It also summarizes the FERC's proposed modifications to CIP-014 and requests for additional filings on physical security.
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
Leveraging the technology advancements in video analytics, THRIVE Intelligence has developed an end-to-end video monitoring and management service from the camera to the Monitoring Center where video is monitored 24/7 by trained Security Intervention Specialists.THRIVE IP cameras are installed with edge-based video analytics making the camera intelligent. When an alarm or event occurs, it’s immediately reviewed by special screened, trained and certified personnel at our Monitoring Center, who will dispatch officers or first responders (if necessary), based on the event protocols set. THRIVE analytics eliminates incidents of false alarms and operator interaction ensures proper response. Live footage of events can be streamed directly to customers and to law enforcement officers en route via a smartphone, tablet, or computer. iOS and Android apps have been developed to work with the THRIVE solution. THRIVE’s video analytics first stabilizes the image then learns the environment which allows our analytics to automatically overcome environmental conditions such as: light changes, repetitive motion, and adjustments to the image caused by rain, fog, dirt and low light.
In this presentation, THRIVE will demonstrate the capabilities of its camera analytics and our 360 solution that is offered to end users.
Industry Reliability and Security Standards Working TogetherEnergySec
It’s never too early to start thinking about where the standards are going and where your program should be heading. This presentation will discuss how energy organizations should consider furthering alignment to NIST 800-53 Rev 4; focusing on security maturity opportunities such as threat management; addressing third parties and vendors and developing processes to help satisfy control-based security objectives.
Dependable, Cost-effective & Customized Professional Security Services
Security solutions are at the heart of what we do at Servexo. Committed to safeguarding our customers and their assets, we have the tools, training and experience to provide the most reliable security services available. Our security service provides the much-needed peace of mind in today’s relatively hostile world.
Servexo understands that organizations are under increasing pressure to maintain safe & secure operations while keeping costs under control. Our security solutions help you achieve that by tailoring a plan to your specific needs.
When a new security vulnerability is identified or during a large-scale attack, accurate and fast coordination is critical. While runbooks exist for many of the technical challenges, executing them in concert and filling the gaps between them requires creativity and quick thinking as well as discipline, a strong ability to read situations, and a willingness to make tough decisions.
As a content delivery network, Fastly operates a large internetwork and a global application environment, which face many security threats. Recognizing the impact security events can have, Fastly developed its Incident Command protocol, which it uses to deal with large-scale events. Maarten Van Horenbeeck, a lead on Fastly’s security team, and experienced incident commanders Lisa Phillips and Tom Daly explore how Incident Command was conceived and the protocols that were developed within Fastly to make it work. The three share a number of war stories that illustrate how Incident Command contributes to protecting Fastly, its customers, and the many end users relying on the service. Examples include a major software vulnerability that affected a Linux component in common use across Fastly and a large attack. Maarten, Lisa, and Tom cover in detail the typical struggles a company Fastly’s size runs into when building around-the-clock incident operations and the things Fastly has put in place to make dealing with security incidents easier and more effective.
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense. a presentation by John M. Gilligan at the National Summit on Planning and Implementing the 20 Critical Controls, held in November 2009.
An analyst's perspective on measuring safety performance, discussing reactive and proactive indicators, ideas on developing proactive indicators, and a balanced scorecard approach to safety metrics
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
Leveraging the technology advancements in video analytics, THRIVE Intelligence has developed an end-to-end video monitoring and management service from the camera to the Monitoring Center where video is monitored 24/7 by trained Security Intervention Specialists.THRIVE IP cameras are installed with edge-based video analytics making the camera intelligent. When an alarm or event occurs, it’s immediately reviewed by special screened, trained and certified personnel at our Monitoring Center, who will dispatch officers or first responders (if necessary), based on the event protocols set. THRIVE analytics eliminates incidents of false alarms and operator interaction ensures proper response. Live footage of events can be streamed directly to customers and to law enforcement officers en route via a smartphone, tablet, or computer. iOS and Android apps have been developed to work with the THRIVE solution. THRIVE’s video analytics first stabilizes the image then learns the environment which allows our analytics to automatically overcome environmental conditions such as: light changes, repetitive motion, and adjustments to the image caused by rain, fog, dirt and low light.
In this presentation, THRIVE will demonstrate the capabilities of its camera analytics and our 360 solution that is offered to end users.
Industry Reliability and Security Standards Working TogetherEnergySec
It’s never too early to start thinking about where the standards are going and where your program should be heading. This presentation will discuss how energy organizations should consider furthering alignment to NIST 800-53 Rev 4; focusing on security maturity opportunities such as threat management; addressing third parties and vendors and developing processes to help satisfy control-based security objectives.
Dependable, Cost-effective & Customized Professional Security Services
Security solutions are at the heart of what we do at Servexo. Committed to safeguarding our customers and their assets, we have the tools, training and experience to provide the most reliable security services available. Our security service provides the much-needed peace of mind in today’s relatively hostile world.
Servexo understands that organizations are under increasing pressure to maintain safe & secure operations while keeping costs under control. Our security solutions help you achieve that by tailoring a plan to your specific needs.
When a new security vulnerability is identified or during a large-scale attack, accurate and fast coordination is critical. While runbooks exist for many of the technical challenges, executing them in concert and filling the gaps between them requires creativity and quick thinking as well as discipline, a strong ability to read situations, and a willingness to make tough decisions.
As a content delivery network, Fastly operates a large internetwork and a global application environment, which face many security threats. Recognizing the impact security events can have, Fastly developed its Incident Command protocol, which it uses to deal with large-scale events. Maarten Van Horenbeeck, a lead on Fastly’s security team, and experienced incident commanders Lisa Phillips and Tom Daly explore how Incident Command was conceived and the protocols that were developed within Fastly to make it work. The three share a number of war stories that illustrate how Incident Command contributes to protecting Fastly, its customers, and the many end users relying on the service. Examples include a major software vulnerability that affected a Linux component in common use across Fastly and a large attack. Maarten, Lisa, and Tom cover in detail the typical struggles a company Fastly’s size runs into when building around-the-clock incident operations and the things Fastly has put in place to make dealing with security incidents easier and more effective.
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense. a presentation by John M. Gilligan at the National Summit on Planning and Implementing the 20 Critical Controls, held in November 2009.
An analyst's perspective on measuring safety performance, discussing reactive and proactive indicators, ideas on developing proactive indicators, and a balanced scorecard approach to safety metrics
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Colin Robbins, Managing Consultant from Qonex, looks at the government-backed scheme and gives a basic guideline on how SME’s can achieve Cyber Essentials.
First presented at the East Midlands Cyber Security Conference and Expo.
For more cyber security resources visit www.qonex.com
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
eCompliance, Cameron Freese_Measuring and Communicating Safety PerformanceeCompliance
Performance can be measured in many ways, but the
choice of which metrics and how to communicate these
effectively across the organization, play an important
role in establishing a strong safety culture and overall
management system. Explore how Aecon uses leading
and lagging indicators across their business to identify
themes or trends and take action.
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
Prioritized Approach Twenty Critical Controls 2008Donald E. Hester
Based upon the Consensus Audit Guidelines 20 critical IT controls have been selected for priority implementation. Getting the biggest bang for your buck in cyber security.
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
In May, 2014 the US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued a report confirming several recent attacks on public utilities from the first quarter of 2014. DHS confirmed that a sophisticated threat actor gained unauthorized access to an unnamed public utility’s control system network.
Incidents of this type haven’t been as widely publicized as recent retail breaches, but it is believed by many that there are far more incidents occurring within the Energy Sector than are heard about in the press. Lack of enforced and implemented policy and compliance, poor capability for early detection of threat indicators, and lack of visibility and automation may all be contributing to failure in rapidly detecting attacks and breaches.
Essential Power™ (formerly known as North American Energy Alliance) is a wholesale power generator and marketer providing electric energy and located in the North Eastern United States. Essential Power will share a case study on its own journey towards achieving NERC CIP compliance within a very short five-month timeline, and how they did it.
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
Presenters: Robert Landavazo, PNM Resources and Katherine Brocklehurst, Tripwire
With countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable.
With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP-009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs.
In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Colin Robbins, Managing Consultant from Qonex, looks at the government-backed scheme and gives a basic guideline on how SME’s can achieve Cyber Essentials.
First presented at the East Midlands Cyber Security Conference and Expo.
For more cyber security resources visit www.qonex.com
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
eCompliance, Cameron Freese_Measuring and Communicating Safety PerformanceeCompliance
Performance can be measured in many ways, but the
choice of which metrics and how to communicate these
effectively across the organization, play an important
role in establishing a strong safety culture and overall
management system. Explore how Aecon uses leading
and lagging indicators across their business to identify
themes or trends and take action.
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
Prioritized Approach Twenty Critical Controls 2008Donald E. Hester
Based upon the Consensus Audit Guidelines 20 critical IT controls have been selected for priority implementation. Getting the biggest bang for your buck in cyber security.
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
In May, 2014 the US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued a report confirming several recent attacks on public utilities from the first quarter of 2014. DHS confirmed that a sophisticated threat actor gained unauthorized access to an unnamed public utility’s control system network.
Incidents of this type haven’t been as widely publicized as recent retail breaches, but it is believed by many that there are far more incidents occurring within the Energy Sector than are heard about in the press. Lack of enforced and implemented policy and compliance, poor capability for early detection of threat indicators, and lack of visibility and automation may all be contributing to failure in rapidly detecting attacks and breaches.
Essential Power™ (formerly known as North American Energy Alliance) is a wholesale power generator and marketer providing electric energy and located in the North Eastern United States. Essential Power will share a case study on its own journey towards achieving NERC CIP compliance within a very short five-month timeline, and how they did it.
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
Presenters: Robert Landavazo, PNM Resources and Katherine Brocklehurst, Tripwire
With countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable.
With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP-009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs.
In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Risk assessment Presentation by Affygility SolutionsDean Calhoun
In this 81 slide presentation, Dean Calhoun of Affygility Solutions discusses the history of risk assessments, the regulations requiring risk assessments, and the different types of risk assessments. Several examples are provided.
Cybersecurity and the regulator, what you need to knowCordium
The U.S. Securities and Exchange Commission (“SEC”) has begun to focus in earnest on cybersecurity-related issues at the SEC’s regulated investment adviser and broker-dealer firms. In April 2014, the SEC Office of Compliance Inspections and Examinations (“OCIE”) announced its Cybersecurity Initiative in a National Exam Program (“NEP”) Risk Alert. In response, this presentation will cover compliance and technological aspects of a cybersecurity risk assessment and steps firms are taking to enhance cybersecurity protections.
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
Learn how to evaluate risk, what the differences are between vulnerability assessments and penetration tests, and when to implement both.
Presented by AWA International, a division of I.S. Partners, LLC https://www.ispartnersllc.com/awa-international-group/
What you should know about Requirements 4, 5, and 6 of the NERC Physical Secu...Audio Solutionz
Get an in depth review of the new NERC Physical Security standards and how they relate to threat and vulnerability assessment and legal and regulatory compliance
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Introduction to Risk assessment and management. What is risk assessment and management? How to evaluate risk and how to analyze risk? What is the necessity of risk assessment and management? What are the basic steps for risk assessment and management?
Learn crane and rigging management systems from one of the top General Contractors in the U.S. known for its comprehensive training and focus on employee safety. This three-part session will provide insight into Kiewit’s essential management principles that you can implement in your company.
The topics include:
new operators: hiring, training and technology
risk assessment and mitigation for cranes on job sites
rigging personnel and qualifications
lift planning and incident reporting
Speaker: Bret Shields, Corporate Crane Compliance Manager, Kiewit Crane Services
Risk based monitoring presentation into what Risk Based Monitoring (RBM) is all about. The value of getting it right, and the risks of getting it wrong. We look at the Triumph Research Intelligence (TRI) approach to RBM, and the TRI solution to RBM. An insight into the Future of Visual OPRA is given.
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
When we talk about cyber security, we recognize that it is part of a holistic approach to security and critical infrastructure protection. Tools and technology are not enough to ensure that mission critical systems provide capabilities needed for the military, continuity of government and commercial enterprises to continue operations in the face of emerging threats. Recognizing the unique nature of our location on the Hawaiian Islands in the middle of the Pacific, we also understand the importance of collaboration and alignment of critical infrastructure protection among the military, state government, commercial and public stakeholders. A comprehensive approach needs to include innovative capabilities, a thorough analysis of operational dependencies, and the organizational collaboration required to protect critical capabilities. In this session, we will discuss our innovate approach to developing a holistic cyber security approach for critical infrastructure and share a case study to help you think differently about your own approaches for security.
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
Innovative and disruptive technologies are enhancing and invading our traditional industrial business model. Future organizations will need more data to operate efficiently and succeed in the brave new interconnected world. The diversity of new technologies and data will fuel more diversity in business opportunity. Everyone expects more OT, more IoT, and more IT – and all of it is supposed to be highly reliable and secure. These factors (and more) lead to a landscape shift for the mission-critical cybersecurity risk profile.
In this session, hear ways to recognize the problems and gain some clarity on possible solutions through historic lessons, made up words, and practical front-line experience.
Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We’re likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we’ve managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about “Information Security Risk”. In fact, it’s worth noting that we can’t even agree if there is a space between “Cyber” and “Security” when it’s written out. This talk will take an anecdotal look at “Information Security Risk”, “What IS Cyber Security?”, and use that perspective to suggest areas of research that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
In our modern world, we’ve learned to take for granted the universal availability of things like running water and electricity, and more recently, the Internet. As technology progresses, we are rapidly approaching a future in which nearly everything is digitally connected to nearly everything else. At the same time, we are learning to accept that all digital devices are broken from a security perspective. How we respond and adapt to this reality could well determine whether our future is utopian or dystopian. In In this interactive session, we will explore novel avenues of attack using digital “soft-targets”, and discuss how we might hold things together in the face of persistent vulnerability.
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
An interactive look at what security research means today and how we got to zero days, bug bounties, and hoodie hackers in the news. What particular skills or talents are most essential to be effective as a security researcher, and how much can we learn from the new digital anthropologist in waiting.
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
The NERC CIPv5 deadline is fast approaching, and it’s not too late to be prepared. Join Mark Prince, Manager Operational Technology Fossil, from Entergy, Karl Perman, VP Member Services from EnergySec and Tim Erlin, Director from Tripwire to discuss achieving and maintaining NERC CIPv5 compliance in a fossil generation plant. We’ll cover some of the challenges that Entergy has experienced in their NERC CIPv5 compliance journey. Specifically, we will discuss configuration change management and how to leverage technologies for these requirements and consider what life would be without them.
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.
In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
Presenter: Daniel Lance, Layered Integration
After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?” A look into WSN (Wireless Sensor Networks) history and original design concepts that paved the road to us using these in our every day life.
This presentation will be a deep dive into wireless and reveal new challenges we have in protecting our perimeter when all of our core monitoring devices are riding a wave into the public space as most industrial control providers look to capitalize on fast installation times and inexpensive adaptive solutions. This research shows us start to finish how anyone with a laptop and SDR (Software Defined Radio) can hack into and take control of WSN’s from outside the front gate.
The presentation will demonstrate how a device inside your facility might reveal itself through spectrum analysis than how a hacker might flank the security of the device and own the network with very simple replay attacks that can grant them physical access, and how social engineering pre-installation and post-installation will cause you to disregard warning signs that someone is tampering with the network. A high level understanding of radio is no longer needed for packet analysis with open source tools, proper implementation has never been more important as even a encrypted device can be compromised by the last mile before installation. We will talk about the tools security professionals are lacking from the manufactures of these devices to scan for a compromised device and what can be done in the future to protect WSN’s.
Presenter: Mikael Vingaard, EnergiNet.dk
The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your ICS/SCADA systems – but how can the Energy Sector actual benefit from using a Honeypot?
The Danish information security researcher, Mikael Vingaard has taken various free open source software to deploy ICS/SCADA Honeypot systems, and will share his experiences from the research and present interesting findings from the collected informations.
The talk will be discuss the pros and cons of honeypots, how to use honeypots as an early-warning system and add some interesting points seen from the energy sector of using Honeypot systems.
The presentation will showcase that gaining access to actual ICS threat intelligence can be done – even in budget constrained organizations.
Presenter: Mike Firstenberg, Waterfall Security Solutions
NIST, NERC CIP, the ISA/IEC and other authorities are adjusting their advice for secure industrial networks to include at least one layer of hardware-enforced unidirectional communications. Many security practitioners are familiar with specific applications of Unidirectional Security Gateway technology, but fewer have seen how widely the technology is being deployed throughout the electric sector.
Join us to review comprehensive unidirectional network architectures for generation, transmission, distribution, high-voltage substations, and control centers/TSO’s/balancing authorities. In each vertical we review use cases, examine NERC CIP compliance implications and cost savings, and compare the strength of each architecture with legacy firewall-based designs.
Industrial Technology Trajectory: Running With ScissorsEnergySec
Presenter: Patrick Miller, EnergySec (President Emeritis)
Innovative and disruptive technologies are enhancing and invading our traditional industrial business model. Future infrastructure organizations will need more data to operate efficiently and succeed in the brave new interconnected world. The diversity of new technologies and data will fuel more diversity in business opportunity. Everyone expects more OT, more IOT, and more IT – and all of it is supposed to be highly reliable and secure. These factors (and more) lead to a landscape shift for the industrial cybersecurity risk profile. In this session, hear ways to recognize the problems and gain some clarity on possible solutions through historic lessons, made up words, and practical front-line experience.
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
Presenter: David Zahn, PAS
Industrial control systems represent the brass ring for hackers who want to disrupt plant operations and negatively impact safety and productivity. The problem for cybersecurity professionals is that plants have highly vulnerable proprietary control systems where configuration data is not visible via standard WMI or SNMP calls. Yet, it is this same configuration data, such as I/O cards, firmware, installed software, and more, that hackers work hard to attain as it aids them in gaining control over industrial systems within plants.
As the saying goes, “you can’t manage what you can’t measure.” Taking inventory of this hidden configuration data and doing so for all control assets is difficult. Plants as a result fall short of achieving centralized, automated inventory – a cybersecurity best practice and a necessary precursor to effective change management. So how do you address change management when important security data is kept locked within each vendor’s distributed control systems, programmable logic controllers, and remote terminal units?
In this session, we’ll explore the types of inventory data that comprise a best practices cyber security plan. Next, we will dive into cost effective, accurate automation opportunities for inventory discovery and maintenance of heterogeneous proprietary and non-proprietary control assets. Finally, we’ll present a case study for implementing best practices for hardening ICS cyber security and automating management of change.
Agenda:
Building and Maintaining an Accurate ICS Inventory
Best Practices in Inventory Automation
Case Study
Where Cyber Security Meets Operational ValueEnergySec
Presenter: Damiano Bolzoni, SecurityMatters
What if cyber attacks were not the most prominent threat to industrial networks and systems? Although malware is still a major point of interest, the sword of Damocles for industrial networks is represented by insider threats such as system misuse performed by disgruntled employees, contractors and vendors, unintentional operator mistakes, as well as network and system misconfiguration and uncontrolled configuration changes; all this could lead to the divergence or failure of critical processes.
In this talk we reshape the concept of ICS security and demonstrate through case studies in different critical infrastructure sectors that the real value of industrial network monitoring goes beyond the detection of cyber attacks, but includes above all the need to maintain awareness about network and process operations, and obtain actionable intelligence that allows to preserve their overall health. We will show how the use of innovative network monitoring approaches can support security, operations, and network managers to:
Gain IT visibility of OT networks and full situational awareness of the network and process
Detect complex and advanced cyber attacks against industrial networks
Mitigate operational mistakes and misconfiguration
Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
After a brief introduction by Mr. Humphreys, Henry Bailey will talk a few minutes about SAP’s roadmap for utilities. This will be followed by a discussion led by Chris Humphreys about the evolutionary transition from disparate point solutions to enterprise-wide, end-to-end, Regulation Management where controls are consolidated and leveraged such that compliance is a byproduct of industry best practices. Finally, Mr. Rice and Chris Humphreys will end the hour with a presentation expanding on the concept of controls consolidation and compliance as a byproduct focused on NERC CIP Ver 3-5 and NIST transitional capabilities of Regulation Management.
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
This presentation will discuss how the Department of Defense executes its critical infrastructure protection program, where it intersects with energy sector CIP efforts and what we can learn from each other.
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its AMI program, formally known as the Smart Meter & Infrastructure (SMI) program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation.
The SMI program required the introduction of many new devices and applications into BC Hydro’s infrastructure. Some of these had never been deployed before anywhere in the world. Many were field deployed, outside of BC Hydro’s physical security perimeter.
The SMI Security Delivery Team was formed to deliver on these commitments and to take responsibility for the end to end security of the SMI program. The Team implemented a multi-pronged approach to securing SMI including security risk assessments, security penetration testing by the team, design reviews, whole project risk assessments and third party security penetration testing.
A standards based approach was required to ground the test plan both in best practice and in a common set of principles that BC Hydro and its vendors could accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force was used as a basis for the test plan. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems.
The program was highly successful. Test results informed BC Hydro’s deployment decisions and allowed the manufacturers to improve their products. Lessons were learned about how best to conduct third party security testing. A full lessons learned section is included in the presentation.
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...EnergySec
The industrial cybersecurity landscape is complex and formed by very different actors (industrial organizations, critical infrastructures, EPC companies, industrial and cybersecurity vendors, consultancy companies, integrators, academia, public bodies and governments), with very different interests and objectives and different maturity levels, even internally in each organization, so there’s no way to go alone in the way of protecting these industrial and critical infrastructures adequately. Interdependencies, multidisciplinary, multiple supply chains and lack of common reference make even more complex the task of advancing in the right way.
Public Private Partnerships (PPP) are recognized as a key aspect on improving Industrial Cybersecurity and Critical Infrastructure Protection, but PPP usually is a formal and structured way of communication and collaboration between organizations, that is not necessary followed by the persons in charge or being part of those organizations.
In this presentation, we are proposing a new concept: C3R, “Collaboration, Coordination and Commitment based Relationships”, as the base for building a global community for protecting our Industrial and Critical Infrastructures and explaining the keys of the success of such an approach.
Mr. Feldman will lead us on a path to help us think about the “Sea Changes” happening in the energy sector from a strategic perspective, implications for the energy companies and cybersecurity from a Board of Directors governance viewpoint. This will include future direction concept that will address suggestions on where Regulators such as NERC should be heading with regard to security and other associated issues to feed your thoughts.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
JMeter webinar - integration with InfluxDB and Grafana
CIP-014-1: Next Steps from an Auditor’s Perspective
1. Darren T. Nielsen, M.Ad., CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Salt Lake City, UT Office
CIP-014- Next Steps from an Auditors Perspective
August 21, 2014
Austin, Texas
2. 2
• Where are you heading?
• Is it the right direction?
• Do you have help in charting the course?
Set your Compass!
3. 3
• What it is:
o Physical security of Transmission stations and Transmission
substations, and their associated primary control centers, that if
rendered inoperable or damaged as a result of a physical attack
could result in “widespread” instability, uncontrolled separation, or
Cascading within an Interconnection.
*FERC directed “widepsread” to be removed on July 17, 2014.
• What it is not:
o An extension of, or related to CIP-006
o Critical Cyber Asset/Protected Cyber Asset based
o A limit to physical security measures
o A one-size-fits all approach to physical security
CIP-014-1 Introduction
4. 4
• It may be helpful to view and manage CIP-014-1 as two
major components.
CIP-014-1 Introduction
R1: Applicability and Risk
Assessment
R2: Unaffiliated Review
R3: Control Center Notification
R4: Threat and Vulnerability
Assessment
R5: Security Plan
R6: Unaffiliated Review
5. 5
• Must be completed by the effective date of CIP-014-1
• Subsequent applications must be completed:
o 30 months for entities who identified applicable
Stations/Substations on the previous assessment
o 60 months for entities who identified null lists on the previous
assessment
CIP-014-1 R1: Applicability and Risk
Assessment
6. 6
• Create a Candidate List
o Substations/Stations operating at or above 200kV
o Substations/Stations identified in an IROL
o Substations/Stations critical to operation of nuclear facilities
• Apply criteria listed in 4.1.1 of CIP-014-1
o Operating at or above 500kV
-or-
o Identified by its Reliability Coordinator, Planning Coordinator, or
Transmission Planner as critical to the derivation of Interconnection
Reliability Operating Limits (IROLs) and their associated contingencies.
-or-
o Essential to meeting Nuclear Plant Interface Requirements
-or-
CIP-014-1 R1: Applicability and Risk
Assessment
7. 7
• Apply criteria listed in 4.1.1 of CIP-014-1 (continued)
o Operating between 200 kV and 499 kV at a single station or
substation, where the station or substation is connected at 200 kV
or higher voltages to three or more other Transmission stations or
substations and has an "aggregate weighted value" exceeding
3000 according to the table below.
CIP-014-1 R1: Applicability and Risk
Assessment
8. 8
• Must be completed within 90 days of R1 Assessment and
may be conducted concurrently
• Unaffiliated third party must be:
o A registered Planning Coordinator, Transmission Planner, or
Reliability Coordinator
-or-
o An entity that has transmission planning or analysis experience
• The SDT interprets “unaffiliated” as external to the
corporate structure
• The credentials of the third party will be assessed and
may impact the audit risk and subsequent rigor for R1
CIP-014-1 R2: Unaffiliated Review of R1
Assessment
9. 9
• Unaffiliated reviewer recommendations must be
addressed within 60 days of review
o Modify its identification under Requirement R1 consistent with the
recommendation
-or-
o Document the technical basis for not modifying the identification in
accordance with the recommendation
This language is NOT intended to trigger TFEs
• Implement procedures to protect sensitive information
throughout the review process
CIP-014-1 R2: Unaffiliated Review of R1
Assessment
10. 10
• The entity has 7 days to notify control center operators for
primary control centers associated with
Stations/Substations identified in R1 assessment
• The entity has 7 days to notify control center operators for
primary control centers associated with
Stations/Substations removed in subsequent in R1
assessments
• Compliance tips:
o Use email read receipts
o Implement three part communications
o Receive and document confirmation of notification from control
center operators
CIP-014-1 R3: Notify Control Center Owners
11. 11
• Conduct a threat and vulnerability assessment that
considers:
o Unique characteristics
o Attack history, attacks on similar facilities
Frequency
Geographic Proximity
Severity
o Intelligence or threat warnings
CIP-014-1 R4: Threat and Vulnerability
Assessment
12. 12
• Unique Characteristics may include:
o Terrain
Rural
Urban
o Equipment/Facility Array
Are critical vulnerable assets on the perimeter or are they shielded from view or
attack by less critical components of the facility?
o Existing Protections
o Facility size and shape
A pure rectangle faces fewer inherent vulnerabilities than a facility with multiple
corners, alcoves, and salient points.
o Crime statistics
o Weather
CIP-014-1 R4: Threat and Vulnerability
Assessment
13. 13
• Assessment Tips
o Identify what components of the facility are critical to the mission
o Evaluate your facility from an adversary’s perspective
o Extend the assessment beyond the fence line
o Understand the advantages and disadvantages afforded by surrounding terrain
o Understand your threat environment
Evaluate attacks on similar facilities globally
Evaluate attacks in your geographic area even if the target facility is unlike yours
• Some Existing Assessment Methodologies
o CARVER
o DHS Enhanced Critical Infrastructure Protection Infrastructure Survey Tool
(ECIP/IST)
o Attack Tree Modeling
CIP-014-1 R4: Threat and Vulnerability
Assessment
14. 14
• Suggested threat vectors to consider
o Direct Fire
Can an adversary fire a line-of-sight weapon and damage a critical component?
o Indirect Fire
Can an adversary fire a weapon on an arc trajectory and damage a critical
component?
o Explosive
Can an adversary place an explosive device such that it will damage a critical
component?
o Vehicular Attack
Can an adversary drive a vehicle into my facility to damage a critical
component?
o Forced Entry
Can an adversary force his way into my facility to damage a critical component?
o Surreptitious Entry
Can an adversary sneak into the facility to damage a critical component?
o Arson
Can an adversary damage critical components with fire?
CIP-014-1 R4: Threat and Vulnerability
Assessment
15. 15
• Resources
o Physical Security Personnel
o Local Law Enforcement
o Federal Agencies
o State Emergency Management
• Methodologies
o ECIP/SAV
o CARVER
Assessment Resources
16. 16
• Observation
• Avenues of Approach
• Key Terrain
• Obstacles
• Cover and Concealment
Terrain Analysis
17. 17
• Where can bad guys see me?
• What can I see?
• More importantly, what can’t I see?
Observation
21. 21
• What do I really need to keep bad guys
away from?
• What areas can bad guys conduct
surveillance from?
• What areas can bad guys launch an attack
from?
Key Terrain
23. 23
• What do I have available to block bad guys from
getting to or seeing me?
o Natural
Cliffs
Ravines
Trees
BFRs
o Man-made
Fences
Gates
Bollards
Obstacles
27. 27
• What is vulnerable?
o Ballistics paths
o Susceptible to blast
o Susceptible to sabotage
• How could I be attacked?
o Beware a “failure of imagination”
o Do not think about the likelihood of an attack
vector at this point
Self Assessment
28. 28
• The following few slides are a very small
slice of a free three-day course that DHS
provides*
• If interested in the full course contact your
DHS Protective Security Advisor
Surveillance Detection
*The presenter is not responsible for curriculum
changes over the past four years or the effects of
time on memory.
29. 29
Attack Planning Cycle
When can the attacker best be
defeated?
Planning Cycle
Target
Identification
Surveillance
Target Selection
Pre-attack
surveillance and
planning
Rehearsal
Attack
Escape
30. 30
Types of Surveillance
• Fixed
• Mobile
• Technical
• Photographic
• Combination
Surveillance Detection
31. 31
Where can an adversary effectively conduct
surveillance on your facility?
Hostile Surveillance Points
34. 34
Q: We’ve mitigated all the hostile
surveillance points, whats next?
A: It depends
• Delay
• Detect
• Deter
• Defend
Now What?
35. 35
Q: Why didn’t your last picture have any deter or defend
mitigations?
A: There are a number of deterrents available at little or no
cost
• Random security measures
• Every visible security control*
• Police patrols
Now What?
*Double-edged sword, showing all controls makes
your controls easy to recon.
36. 36
Q: What do you mean by random security measures?
A: Random security measures allow you to implement
security controls that wouldn’t be fiscally possible if they
were implemented across your facilities 24/7. The key to
successful random security measures is to avoid any
discernible pattern and to ensure the measures are enough
of a departure from your standard security posture that they
throw off an adversary. Random security measures are the
bane of a recon scout’s existence!
Deterrents
37. 37
Q: What are some examples of random security
measures?
A:
• Flexing security guard postings
• Vehicle searches
• Random security patrols
• Additional personnel/vehicle searches
• Temporary vehicle barriers
Deterrents
38. 38
Q: How do I get the police to patrol my remote sites?
A: Information sharing!
• Teach your first responders what’s critical
• Invite first responders out for tours/site familiarity
• Where possible offer some desk space and/or a pot of
coffee
Deterrents
39. 39
Q: How can I defend my site without hiring a small army?
A: Do you have armed drones available? If not, you’re likely limited to
your response plan.
Some questions to address in your response plan:
• Will controls allow for attack intervention or merely forensics?
• Who will respond?
o Guard force
o LLE
o Operations personnel
• How long can you delay vs how long will your response take to get
on site?
o 15 minute delay + 30 minute response = problem
Delay
40. 40
• Define your space
• Shape your environment
• Improve lighting
• Observation
• Direct foot and vehicle traffic
CPTED Concepts
41. 41
• Put yourself in the attacker’s position, which
location would you prefer to attack?
Shape Your Environment
42. 42
• Put yourself in the attacker’s position, which
location would you prefer to attack?
Lighting
46. 46
• Chain link fence with barbed wire topper
Average Current Substation Defense
47. 47
• Cameras
• Intrusion Detection
• System redundancy
• Defense in depth for cyber assets
Average Current Substation Defense
48. 48
• Develop a security plan including
o Resilience or security measures
Ensure the measures address vulnerabilities identified in R4
o Law enforcement contact and coordination may include:
Simply a name and phone number
Meetings to discuss security concerns, site-specific hazards, etc
Site-specific training for law enforcement
Hosting law enforcement exercises
o Timeline for implementing physical security projects
No specific dates or time frames required in this timeline, but it must pass the
common sense test
o Provision to evaluate evolving threats
Should include a process or mechanism to receive threat information
Should include a process to evaluate threat information as it is received
CIP-014-1 R5: Security Plan
49. 49
• Security Plan Tips
o Conduct a second assessment including the new measures
Provides valuable metrics to stakeholders and regulators
If conducted in the planning phase, may prevent costly but minimally effective
security enhancements
o Ensure the plan makes sense
A reasonably-informed person should be able to follow and implement the plan
without extensive knowledge of the site or entity
o Law enforcement is your friend
Coordinate early and often to ensure all parties understand facility nuances and
specific hazards/concerns
Law enforcement training on site = free security
Ensure mutual understanding of law enforcement response procedures and
capabilities
o Consider developing a threat/risk assessment function
May require additional human capital
Can be achieved through vendor solutions
CIP-014-1 R5: Security Plan
50. 50
• R6: Unaffiliated Review of R4 Assessment and R5 Plan
o An organization with industry physical security experience AND a
Certified Protection Professional (CPP) or Physical Security
Professional (PSP) on staff.*
-or-
o An organization approved by the ERO.*
-or-
o A government agency with physical security expertise.
-or-
o An organization with demonstrated law enforcement or military
physical security expertise.*
*WECC staff meet these criteria
CIP-014-1 R6: Unaffiliated Review of
Assessment and Plan
51. 51
• R1 Risk Assessment must be completed on or before
the effective date
• R2
o 2.1, 2.2, and 2.4 must be completed within 90 calendar days of
R1 assessment
o 2.3 must be completed within 60 calendar days of 2.2
verification
• R3 must be completed within 7 calendar days of R2
completion
• R4 must be completed within 120 calendar days of R2
completion
CIP-014-1 Implementation
52. 52
• R5 must be completed within 120 days of R2
completion
• R6
o 6.1, 6.2, and 6.4 must be completed within 90 days of R5
completion
o 6.3 must be completed within 60 days of 6.2 review
CIP-014-1 Implementation
53. 53
CIP-014-1 Implementation
CIP-014-1 Implementation Timeline
R1 Assessment Effective Date 0 Days
R2 Verification Effective + 90 90 Days
R2.3 Address Discrepancies R2.2 + 60 150 Days
R3 Notify Control Center R2 + 7 157 Days
R4 Threat and Vulnerability Evaluation R2 + 120 270 Days
R5 Security Plan R2 + 120 270 Days
R6 Review R5 + 90 360 Days
R6.3 Address Discrepancies R6.2 + 60 420 Days
Less than nine months from effective date to Security Plan completion
54. 54
• R2 – R6 must be completed within 420 calendar days after
completing the risk assessment process in R1.
Maximum Timeline
55. 55
• Notice of Proposed Rulemaking (NOPR) issued by FERC
July 17, 2014.
o Proposes to approve CIP-014-1, implementation plan,
and VRF/VSL
o Proposes modifications
o Proposes informational filing
o Seeks comments
• Comments due 45 days after NOPR published in the
Federal Register. Reply comments due 60 days after
NOPR published in the Federal Register.
CIP-014 (Physical Security) NOPR
56. 56
• Proposed Modifications:
o Allow Governmental Authorities (i.e., FERC and
any other appropriate federal or provincial
authorities) to add or subtract facilities from an
applicable entity’s list of critical facilities under
Requirement R1.
o Remove the term “widespread” as it appears in
the proposed Reliability Standard in the phrase
“widespread instability.”
CIP-014 (Physical Security) NOPR
57. 57
• Proposed Informational Filings:
o Within six months of the effective date of a final rule
addressing the possibility that CIP-014-1 may not
provide physical security for all “High Impact” control
centers as defined in CIP-002-5.1.
o Within one year of the effective date of a final rule
addressing possible resiliency measures that can be
taken to maintain reliable operation of the Bulk Electric
System following the loss of critical facilities.
CIP-014 (Physical Security) NOPR
58. 58
• Comments desired on:
o Providing for applicable governmental authorities to add or
subtract facilities from an entity’s list of critical facilities
o The standard for identifying critical facilities
o Control centers
o Exclusion of generators from the applicability section of the
proposed Reliability Standard
o Third-party recommendations
o Resiliency
o Violation risk factors and violation severity levels
o Implementation plan and effective date
CIP-014 (Physical Security) NOPR
59. 59
• PSWG- Get plugged in!
• http://www.wecc.biz/committees/StandingCommittees/OC/
CIIMS/PSWG/default.aspx
• Phone call away
We want to help.
• Always willing to provide our audit approach
At Your Service
60. Darren T. Nielsen, M.Ad, CISA,
CPP, PCI, PSP, CBRA, CBRM
Senior Compliance Auditor, Cyber Security
Western Electricity Coordinating Council
155 North 400 West, Suite 200
Salt Lake City, UT 84103
(801) 857-9134
dnielsen@wecc.biz
Questions?
Editor's Notes
D
Don’t waste valuable resources by designing ineffective physical security programs that offer unnecessary protections or worse, fail to provide adequate security for critical sites.
Smartly planning and implementing effective physical protection systems involves a lock, stock, and barrel approach that strategically harmonizes your people, procedures, and equipment. Make this holistic scenario an everyday reality for your security program while maintaining realistic budget goals.
In the second proposed modification, the Commission would direct NERC to revise wording that it believes could narrow the scope and number of identified critical facilities. Specifically, the NOPR seeks comment on the Commission’s concern that NERC’s use of the phrase “widespread instability” rather than “instability,” as stated in the March order, could create ambiguity since the term “widespread” is not defined.
You have a number of resources available to conduct assessments, both in-house and external.
DISCUSS VALUE OF EXTERNAL (new set of eyes) vs INTERNAL (little/no cost, information control, minimal coordination) ASSESSMENT RESOURCES
There are countless methodologies available, but I’m going to focus on two that I’ve personally conducted, ECIP/SAV and CARVER
You must understand the terrain around your facility for an effective, efficient defense.
Know how to use the terrain to your advantage
Understand how the terrain can be used against you
Like CPTED, we want to maximize our observable space
Additionally, we want to know where the adversary can observe us
There are a few barriers to our observation here:
Hills
Ravine
Trees
Bushes
Cliff
An adversary can observe us from:
Hills
Trees
Bushes
Open Space
Again, like CPTED we must understand how an adversary can reach us and work to control those avenues through barriers and/or observation
Without mitigation, the adversaries can approach us from just about everywhere.
Notice there are no water-borne Ewoks, while it’s possible that an adversary could scale the 300’ cliff, it’s unlikely with so many other easy approaches.
We tend to look at design of utilities only through a functional lens with minimal concern for aesthetics or design.
Adversaries notice that.
Let’s talk about a few high-level crime prevention through environmental design concepts worth considering.
An adversary is far less likely to attack a facility that appears well-maintained and attended than one that shows signs of disrepair
Good lighting reduces an adversary’s concealment, making them easier to detect and making the facility less enticing.
Like lighting, we want to remove potential hiding spots and improve our ability to see to and beyond our perimeter
More details to come from NERC on what Unaffiliated Review is. Bottom line is an entity does not need to spend a lot or any money to complete this task. However, note WECC Audit staff will conduct an arduous audit and request documentation on the training and experience for who and entity choses to use as a reviewer. A CPP or PSP security professional will likely receive less rigor based on the auditors professional judgment.
Note: just because the reviewers are govt, (FBI.DHS etc), law enforcement or military does not mean WECC staff will accept based on title. Be prepared to show and deliver docs to support experience in industry, training etc. More is better, A resume is not enough for an auditor to obtain reasonable assurance.
Cannot provide Directives or prescribe compliance..will provide our audit approach and answer What if’s