Whitepaper by Encari's co-founder and the Mid-West ISO's chairman.
Matthew Luallen, co-founder of Encari, and Paul Feldman, chairman of the Mid-West ISO, have written a whitepaper that explains how utilities attempting to meet the North American Electric Reliability Corporation "Critical Infrastructure Protection" (NERC CIP) requirements can meet both the spirit and the letter of the regulations.
The whitepaper provides insights and recommendations around the following topics:
Utilities should go beyond "checking the box" to meeting the true intention of the NERC CIP requirements: protecting the reliability and availability of the Bulk Electric System (BES).
Traditional security solutions (e.g., blacklist-based antivirus, emergency security patches) not only fail to protect reliability and availability, they may negatively impact the goals themselves.
In addition to superior protection against even zero-day attacks, application whitelisting is gaining a following because it addresses the operational realities associated with control system implementations that blacklist-based solutions cannot.
Application whitelisting simultaneously helps address NERC CIP-007, R3 (security patching); CIP-007, R4 (anti-malware); and even NERC CIP-003, R6 (change control and configuration management).
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...EnergySec
The energy and utilities industry needs to take extraordinary steps to protect its critical infrastructure. Gone are the days where treating physical security, process control security, and cybersecurity as separate functional areas can suffice. As the threats to our nation’s electric utility enterprises continue to rise, we must use all available information resources and security tools in highly integrated total security systems. As described in this presentation, recognizing and capitalizing upon the broad commonality of security domains across all the three security functional areas can open many more possibilities to enhance an enterprise’s defenses. Based upon this unique systems concept, already proven effective for cybersecurity, a methodology for an integrated total security defense is described that begins with threat and vulnerability intelligence-driven security processes. By extending this methodology to all three security functional areas, organizations can better organize and utilize all their security resources and processes, including threat and vulnerability information, pre-emptive defense strategies, real and near-real time situation awareness capabilities, and incident response/ recovery actions; regardless of whether they are part of the physical, process control, or cybersecurity functional areas. In addition to methods and tools for highly efficient collection and analysis of “all source” threat and vulnerability information, also described are systems approaches for fusing and correlating the high volume and wide variety of available security relevant information. These can assist the security professionals to quickly analyze and initiate actions as needed across each of the physical, control process, and cyber security areas.
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Andrew Storms
New emerging tools for security automation and response have the capability to create a more enhanced agile threat response to support grid resiliency.
Integration of cyber security incident response with IMS -- an approach for E...David Sweigert
Response and recovery methods for severe cyber security incidents need traceable integration within incident management systems, which should be offered as a tool-set within the Executive Order 13636 Cybersecurity Framework.
NERC FERC CIP CIP-009 IMS NFPA 1600 CYBER SECURITY CISA CISSP PMP
Response and recovery methods for severe cyber security incidents need traceable integration within incident management systems, which should be offered as a tool-set within the Executive Order 13636 Cybersecurity Framework.
NERC FERC CIP CIP-009 IMS NFPA 1600 CYBER SECURITY CISA CISSP PMP
Cyber security white paper final PMD 12_28_16Dave Darnell
The document discusses cyber security concerns in the energy industry based on surveys and reports. A 2015 survey of over 150 IT professionals in the energy sector found that 75% saw successful cyber attacks increase over the last 12 years, over 75% of attacks came from external sources, and over 80% believed a cyber attack could cause physical infrastructure damage within a year. The document also outlines cyber security standards and frameworks established by organizations like FERC, NERC, and DOE for the energy industry. It provides an overview of the company Systrends and their cyber security credentials and services available to help organizations improve their cyber security profile and preparedness.
The document outlines an information security workshop presentation on the scope and importance of information security. It discusses 10 key domains of information security knowledge including access control, application security, risk management, cryptography, operations security, physical security, security architecture, telecommunications, and networks. The presenter has 10 years of IT consulting experience and various security certifications. The goals are to raise awareness of information security and the need for regional cooperation such as a Pacific Computer Emergency Response Team.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
This paper summarizes the experience gained during a series of
practical cybersecurity assessments of various components of Europe’s
smart electrical grids.
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...EnergySec
The energy and utilities industry needs to take extraordinary steps to protect its critical infrastructure. Gone are the days where treating physical security, process control security, and cybersecurity as separate functional areas can suffice. As the threats to our nation’s electric utility enterprises continue to rise, we must use all available information resources and security tools in highly integrated total security systems. As described in this presentation, recognizing and capitalizing upon the broad commonality of security domains across all the three security functional areas can open many more possibilities to enhance an enterprise’s defenses. Based upon this unique systems concept, already proven effective for cybersecurity, a methodology for an integrated total security defense is described that begins with threat and vulnerability intelligence-driven security processes. By extending this methodology to all three security functional areas, organizations can better organize and utilize all their security resources and processes, including threat and vulnerability information, pre-emptive defense strategies, real and near-real time situation awareness capabilities, and incident response/ recovery actions; regardless of whether they are part of the physical, process control, or cybersecurity functional areas. In addition to methods and tools for highly efficient collection and analysis of “all source” threat and vulnerability information, also described are systems approaches for fusing and correlating the high volume and wide variety of available security relevant information. These can assist the security professionals to quickly analyze and initiate actions as needed across each of the physical, control process, and cyber security areas.
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Andrew Storms
New emerging tools for security automation and response have the capability to create a more enhanced agile threat response to support grid resiliency.
Integration of cyber security incident response with IMS -- an approach for E...David Sweigert
Response and recovery methods for severe cyber security incidents need traceable integration within incident management systems, which should be offered as a tool-set within the Executive Order 13636 Cybersecurity Framework.
NERC FERC CIP CIP-009 IMS NFPA 1600 CYBER SECURITY CISA CISSP PMP
Response and recovery methods for severe cyber security incidents need traceable integration within incident management systems, which should be offered as a tool-set within the Executive Order 13636 Cybersecurity Framework.
NERC FERC CIP CIP-009 IMS NFPA 1600 CYBER SECURITY CISA CISSP PMP
Cyber security white paper final PMD 12_28_16Dave Darnell
The document discusses cyber security concerns in the energy industry based on surveys and reports. A 2015 survey of over 150 IT professionals in the energy sector found that 75% saw successful cyber attacks increase over the last 12 years, over 75% of attacks came from external sources, and over 80% believed a cyber attack could cause physical infrastructure damage within a year. The document also outlines cyber security standards and frameworks established by organizations like FERC, NERC, and DOE for the energy industry. It provides an overview of the company Systrends and their cyber security credentials and services available to help organizations improve their cyber security profile and preparedness.
The document outlines an information security workshop presentation on the scope and importance of information security. It discusses 10 key domains of information security knowledge including access control, application security, risk management, cryptography, operations security, physical security, security architecture, telecommunications, and networks. The presenter has 10 years of IT consulting experience and various security certifications. The goals are to raise awareness of information security and the need for regional cooperation such as a Pacific Computer Emergency Response Team.
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
This paper summarizes the experience gained during a series of
practical cybersecurity assessments of various components of Europe’s
smart electrical grids.
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
This document provides an overview of critical infrastructure protection in Europe presented by Ignacio Paredes of the Industrial Cybersecurity Center. It discusses the convergence of physical and cyber worlds and how industrial control systems have become interconnected over TCP/IP and use general purpose operating systems. This has introduced cybersecurity challenges to operational technology environments. The document reviews cyber attacks on critical infrastructure like Stuxnet and Shamoon and regulations around critical infrastructure protection in the US and EU. It argues that identifying and prioritizing critical infrastructure is important but questions who will pay for protection and whether regulations have led to minimum compliance over real protection.
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
1. The document outlines 10 predictions for cybersecurity challenges in 2016 and beyond, including the expanding roles of governments, continued evolution of nation-state cyber offenses, and the intersection of life safety and cybersecurity in connected devices.
2. It predicts security expectations will increase while security technologies improve but remain outpaced by adaptable attackers. Attacks targeting trust and integrity will escalate.
3. A continued lack of cybersecurity talent will hinder the industry from effectively addressing evolving threats. New threat vectors are expected to emerge as technologies advance.
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
The document summarizes a workshop on the major changes in CIP Version 5. It discusses 19 new or revised definitions, including definitions for BES Cyber Assets, BES Cyber Systems, and impact levels. It also covers key changes like the use of bright line criteria to determine impact levels, new requirements for interactive remote access, and the guidelines and technical basis document. Attendees learned about top transition issues like asset identification, impact assessments, and changes to electronic security perimeters.
The document discusses upcoming security challenges for the Internet of Things (IoT) and introduces Warden, an autonomous security solution developed by Delve Labs. Current security strategies are insufficient for IoT due to a shortage of security professionals and incomplete asset visibility. Warden uses artificial intelligence to autonomously perform continuous vulnerability assessments without human supervision, scaling to cover all IoT assets. It aims to mimic expert methodology while reducing false positives through deep learning. Warden generates data to help prioritize issues and integrate with other tools via APIs.
The document discusses infrastructure security and protecting critical infrastructure from threats like terrorism. It outlines key areas of critical infrastructure like transportation, energy, and communications. It also discusses identifying vulnerabilities in critical infrastructure through risk assessment and implementing protective programs to reduce risks and strengthen defenses.
This newsletter provides information on upcoming events for the ISA Process Measurement and Control Division (PMCD) and summarizes recent division activities. It discusses the Director's message about events organized in 2015, including the 60th and 61st International Instrumentation Symposiums and the 2014 Process Control & Safety Symposium. It also outlines the PMCD scholarship program and provides contact information for division leadership.
Healthcare It Security Necessity Wp101118Erik Ginalick
Healthcare organizations face serious risks if their networks and medical devices are breached, including lawsuits, fines, loss of reputation and trust from patients. As medical technology becomes more connected, these risks are growing. CenturyLink offers security solutions and services to help healthcare providers protect their networks and meet regulatory standards. Their services identify vulnerabilities, monitor network health, manage security policies and respond to security incidents. Partnering with CenturyLink provides healthcare organizations with comprehensive security and expert support to secure their networks.
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
The document summarizes the key findings of a cybersecurity preparedness benchmarking study conducted by Berkeley Research Group. The study surveyed over 100 executives across different sectors to evaluate their cybersecurity programs, governance, and incident response capabilities. Key findings included that while organizations focused on cybersecurity culture, many did not feel their programs were fully effective. Current employees were identified as the likely cause of most breaches. Most organizations lacked strategies for emerging technologies like the Internet of Things. The report provided recommendations for organizations to improve, including gaining board leadership support, building security into all activities, and ensuring qualified cybersecurity talent.
This document discusses legal and ethical aspects of computer security. It covers topics like cybercrime and types of computer crimes. It also discusses challenges in cybercrime law enforcement and profiles of cybercriminals and victims. Intellectual property issues related to software, algorithms, databases and digital content are examined. The document also covers privacy issues and common criteria for privacy classification. Finally, it discusses professional responsibilities and codes of conduct in computing.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Despite the amazing technologies available today in cybersecurity, organizations still struggle with the most fundamental challenge that has been around for decades: understanding all the devices, users, and cloud services they’re responsible for, and whether those assets are secure.
These slides—based on the webinar hosted by leading IT research firm EMA and Axonius—explain why solving asset management for cybersecurity is becoming increasingly important, and why something so fundamental has quickly risen to the top of CISOs priority lists.
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
1. Genuine Parts Company, a global service organization with over 55,000 employees, implemented ISACA's CMMI Cybermaturity Platform to better assess and manage their cybersecurity risk and demonstrate cyber resilience.
2. The CMMI Cybermaturity Platform allows companies to conduct a customized cyber maturity self-assessment aligned with frameworks like NIST CSF and ISO 27001. It provides a risk-focused assessment and prioritized roadmap to guide cybersecurity investments.
3. Using the platform, Genuine Parts established a baseline maturity level, identified areas for improvement, and reduced the time to resolve security incidents from an average of 24 days to 6.5 days, improving their cybersecurity capabilities and risk management
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
The document compares the costs of security risks from breaches and outages in LTE networks to the costs of investing in security for the S1 interface. It finds that for a representative operator with 60 million subscribers and a $1.4 billion LTE investment, the costs of a single malicious breach impacting 1.8 million subscribers would be $286 million, while the costs of an 18-hour service disruption would be $356 million. In both cases, these risks significantly outweigh the estimated $64 million cost of implementing S1 interface security. Industry analysts estimate that businesses generally spend over 5 times as much addressing breaches after the fact than investing proactively in security.
This white paper discusses the importance of developing a comprehensive security policy to protect automation systems. It outlines several security guidelines that can be included in a policy, such as restricting physical access, implementing strong authentication and authorization practices, designing secure network architectures, controlling remote access securely, and establishing wireless and maintenance security procedures. The document emphasizes that a security policy coupled with secure products and ongoing maintenance is essential for securing modern automation networks that now connect to open enterprise networks.
Career exploration trip presentation for cdpi (1)cdpindiana
The document describes career exploration trips organized by IU SPEA to connect students, alumni, and employers. The trips involve industry panels with alumni and employer representatives, site visits to companies and organizations, and an evening networking event. Requirements include securing alumni/employer contacts, facilities, and funding for travel. Benefits are connecting students to career opportunities and allowing staff and alumni to share experiences. Costs involve student travel, meals, staff time, and promotional materials. Extensive pre-trip planning and follow-up is required. Resources and examples from past trips in Washington D.C. and Chicago are provided.
This document contains notes from an English class on rhetorical devices and essay writing techniques. It discusses counterarguments, conclusions, and the rhetorical strategies of aphorism and chiasmus. For counterarguments, it explains that addressing opposing views strengthens one's own argument. For conclusions, it provides tips on wrapping up an essay effectively. It then defines and provides examples of aphorisms and chiasmus, including how to recognize and write these condensed or inverted structures. Students are prompted to practice these forms in relation to their character analysis assignment.
PR is a distinctive management function that helps establish communication between an organization and its publics. It involves managing issues through a four step process of research, planning, communication, and evaluation. PR encompasses many components including counseling, research, media relations, publicity, community relations, and financial relations. PR aims to raise awareness, build trust and credibility, and create a climate for consumer acceptance in support of marketing goals. It is a growing industry with opportunities in many sectors.
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
This document provides an overview of critical infrastructure protection in Europe presented by Ignacio Paredes of the Industrial Cybersecurity Center. It discusses the convergence of physical and cyber worlds and how industrial control systems have become interconnected over TCP/IP and use general purpose operating systems. This has introduced cybersecurity challenges to operational technology environments. The document reviews cyber attacks on critical infrastructure like Stuxnet and Shamoon and regulations around critical infrastructure protection in the US and EU. It argues that identifying and prioritizing critical infrastructure is important but questions who will pay for protection and whether regulations have led to minimum compliance over real protection.
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
1. The document outlines 10 predictions for cybersecurity challenges in 2016 and beyond, including the expanding roles of governments, continued evolution of nation-state cyber offenses, and the intersection of life safety and cybersecurity in connected devices.
2. It predicts security expectations will increase while security technologies improve but remain outpaced by adaptable attackers. Attacks targeting trust and integrity will escalate.
3. A continued lack of cybersecurity talent will hinder the industry from effectively addressing evolving threats. New threat vectors are expected to emerge as technologies advance.
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
The document summarizes a workshop on the major changes in CIP Version 5. It discusses 19 new or revised definitions, including definitions for BES Cyber Assets, BES Cyber Systems, and impact levels. It also covers key changes like the use of bright line criteria to determine impact levels, new requirements for interactive remote access, and the guidelines and technical basis document. Attendees learned about top transition issues like asset identification, impact assessments, and changes to electronic security perimeters.
The document discusses upcoming security challenges for the Internet of Things (IoT) and introduces Warden, an autonomous security solution developed by Delve Labs. Current security strategies are insufficient for IoT due to a shortage of security professionals and incomplete asset visibility. Warden uses artificial intelligence to autonomously perform continuous vulnerability assessments without human supervision, scaling to cover all IoT assets. It aims to mimic expert methodology while reducing false positives through deep learning. Warden generates data to help prioritize issues and integrate with other tools via APIs.
The document discusses infrastructure security and protecting critical infrastructure from threats like terrorism. It outlines key areas of critical infrastructure like transportation, energy, and communications. It also discusses identifying vulnerabilities in critical infrastructure through risk assessment and implementing protective programs to reduce risks and strengthen defenses.
This newsletter provides information on upcoming events for the ISA Process Measurement and Control Division (PMCD) and summarizes recent division activities. It discusses the Director's message about events organized in 2015, including the 60th and 61st International Instrumentation Symposiums and the 2014 Process Control & Safety Symposium. It also outlines the PMCD scholarship program and provides contact information for division leadership.
Healthcare It Security Necessity Wp101118Erik Ginalick
Healthcare organizations face serious risks if their networks and medical devices are breached, including lawsuits, fines, loss of reputation and trust from patients. As medical technology becomes more connected, these risks are growing. CenturyLink offers security solutions and services to help healthcare providers protect their networks and meet regulatory standards. Their services identify vulnerabilities, monitor network health, manage security policies and respond to security incidents. Partnering with CenturyLink provides healthcare organizations with comprehensive security and expert support to secure their networks.
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
The document summarizes the key findings of a cybersecurity preparedness benchmarking study conducted by Berkeley Research Group. The study surveyed over 100 executives across different sectors to evaluate their cybersecurity programs, governance, and incident response capabilities. Key findings included that while organizations focused on cybersecurity culture, many did not feel their programs were fully effective. Current employees were identified as the likely cause of most breaches. Most organizations lacked strategies for emerging technologies like the Internet of Things. The report provided recommendations for organizations to improve, including gaining board leadership support, building security into all activities, and ensuring qualified cybersecurity talent.
This document discusses legal and ethical aspects of computer security. It covers topics like cybercrime and types of computer crimes. It also discusses challenges in cybercrime law enforcement and profiles of cybercriminals and victims. Intellectual property issues related to software, algorithms, databases and digital content are examined. The document also covers privacy issues and common criteria for privacy classification. Finally, it discusses professional responsibilities and codes of conduct in computing.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Despite the amazing technologies available today in cybersecurity, organizations still struggle with the most fundamental challenge that has been around for decades: understanding all the devices, users, and cloud services they’re responsible for, and whether those assets are secure.
These slides—based on the webinar hosted by leading IT research firm EMA and Axonius—explain why solving asset management for cybersecurity is becoming increasingly important, and why something so fundamental has quickly risen to the top of CISOs priority lists.
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
1. Genuine Parts Company, a global service organization with over 55,000 employees, implemented ISACA's CMMI Cybermaturity Platform to better assess and manage their cybersecurity risk and demonstrate cyber resilience.
2. The CMMI Cybermaturity Platform allows companies to conduct a customized cyber maturity self-assessment aligned with frameworks like NIST CSF and ISO 27001. It provides a risk-focused assessment and prioritized roadmap to guide cybersecurity investments.
3. Using the platform, Genuine Parts established a baseline maturity level, identified areas for improvement, and reduced the time to resolve security incidents from an average of 24 days to 6.5 days, improving their cybersecurity capabilities and risk management
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
The document compares the costs of security risks from breaches and outages in LTE networks to the costs of investing in security for the S1 interface. It finds that for a representative operator with 60 million subscribers and a $1.4 billion LTE investment, the costs of a single malicious breach impacting 1.8 million subscribers would be $286 million, while the costs of an 18-hour service disruption would be $356 million. In both cases, these risks significantly outweigh the estimated $64 million cost of implementing S1 interface security. Industry analysts estimate that businesses generally spend over 5 times as much addressing breaches after the fact than investing proactively in security.
This white paper discusses the importance of developing a comprehensive security policy to protect automation systems. It outlines several security guidelines that can be included in a policy, such as restricting physical access, implementing strong authentication and authorization practices, designing secure network architectures, controlling remote access securely, and establishing wireless and maintenance security procedures. The document emphasizes that a security policy coupled with secure products and ongoing maintenance is essential for securing modern automation networks that now connect to open enterprise networks.
Career exploration trip presentation for cdpi (1)cdpindiana
The document describes career exploration trips organized by IU SPEA to connect students, alumni, and employers. The trips involve industry panels with alumni and employer representatives, site visits to companies and organizations, and an evening networking event. Requirements include securing alumni/employer contacts, facilities, and funding for travel. Benefits are connecting students to career opportunities and allowing staff and alumni to share experiences. Costs involve student travel, meals, staff time, and promotional materials. Extensive pre-trip planning and follow-up is required. Resources and examples from past trips in Washington D.C. and Chicago are provided.
This document contains notes from an English class on rhetorical devices and essay writing techniques. It discusses counterarguments, conclusions, and the rhetorical strategies of aphorism and chiasmus. For counterarguments, it explains that addressing opposing views strengthens one's own argument. For conclusions, it provides tips on wrapping up an essay effectively. It then defines and provides examples of aphorisms and chiasmus, including how to recognize and write these condensed or inverted structures. Students are prompted to practice these forms in relation to their character analysis assignment.
PR is a distinctive management function that helps establish communication between an organization and its publics. It involves managing issues through a four step process of research, planning, communication, and evaluation. PR encompasses many components including counseling, research, media relations, publicity, community relations, and financial relations. PR aims to raise awareness, build trust and credibility, and create a climate for consumer acceptance in support of marketing goals. It is a growing industry with opportunities in many sectors.
http://sg.com.mx/sgce/2013/sessions/leadership-gift
Tú naciste con el don del liderazgo; todos nacimos con él. Cualquier acto auténtico de liderazgo hace uso de esta capacidad nata, pero son pocas las personas que descubren este regalo por sí mismas. La responsabilidad es el principio fundamental del éxito en cualquier iniciativa; es la esencia del aprendizaje, crecimiento, agilidad y cambio. En esta sesión se mostrará como tomar responsabilidad, así como enseñar e inspirar a otros a hacerlo.
La sesión se basa en investigaciones realizadas a lo largo de más de 25 años trabajando con ingenieros y personal de TI. Ahora podrás aplicar este conocimiento para aumentar el alcance y efectividad de tu liderazgo, y construir equipos de alto desempeño.
Magic was once an important institution that occupied positions of power in many ancient cultures and religions. Magicians were advisers to political rulers and believed to understand and manipulate powers from gods. It was difficult for rulers to oppose magicians. Over time, the Catholic Church grew in power and broke the connection between magic and religion, labeling magicians as working with the devil instead of worshipping divinity. Today, magic is seen purely as entertainment, with magicians considered entertainers rather than those who can connect to higher powers. People view magic shows solely for fun and relaxation rather than to understand the world.
A great powerpoint from a presentation at the OFDA Conference in New Orleans Nov. 2008. This will help you promote your Office Furniture Dealership. Thanks to Johanna Hoffman for providing this to OFDA.
Standards based security for energy utilitiesNirmal Thaliyil
The document discusses standards for cybersecurity in the energy sector. It notes that threats are increasing as energy infrastructure becomes more connected and data-driven. The document outlines some key cybersecurity standards for the energy industry including NERC CIP, IEEE1686, and IEC 62351. It maps these standards based on their level of technical detail and completeness. The document also discusses best practices for cybersecurity including technological and operational controls and how standards relate to controls for protection, detection and response.
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
Metrics to measure response and recovery methods for severe cyber security incidents (that could lead to “black out” events for Critical Infrastructure and Key Resources) need traceable integration within incident management systems and should be offered as a solution as part of the Executive Order 13636 Cybersecurity Framework.
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati
This document is a draft of a NIST special publication providing guidance on situational awareness solutions for electric utilities. It includes an executive summary, approach, architecture, and security characteristics for implementing situational awareness. The publication describes a challenge electric utilities face in gaining comprehensive visibility across separate IT, operational technology, and physical security systems. It then outlines a solution developed by NIST to integrate these systems using commercial and open source tools to improve detection of cybersecurity incidents and support regulatory compliance. The benefits of the solution include improved cybersecurity, faster incident response, and more effective risk management.
NIST Guide- Situational Awareness for Electric UtilitiesDr Dev Kambhampati
This document is a draft of a NIST special publication providing guidance on situational awareness solutions for electric utilities. It includes an executive summary, approach, architecture, and security characteristics for implementing situational awareness. The publication describes a NCCoE project that developed an example solution to converge monitoring across IT, operational technology, and physical access systems in order to improve utilities' ability to detect cyberattacks and security incidents. The solution is presented as a modular guide to help utilities implement standards-based technologies in a risk-based manner to gain efficiencies in monitoring, identification, and response to cyber incidents.
The document discusses securing industrial control systems (ICS) infrastructure for compliance with NERC CIP standards and beyond. It outlines the network security challenges for bulk power systems in meeting compliance standards while balancing performance and costs. Real-world security vulnerabilities are described from assessments done by the GAO and Department of Energy. The paper then explains how a unified threat management approach using a single security platform can help simplify NERC compliance by providing firewall, VPN, antivirus, IPS, and authentication capabilities required without needing separate point products. This integrated solution secures the infrastructure while maintaining performance.
Supply Chain Threats to the US Energy SectorKaspersky
This presentation by Cynthia James discusses steps to take towards cyber-securing the supply chain of Energy sector organizations in the U.S. From the biggest challenges to a review of regulation and compliance guidelines, this deck covers three areas of Energy: nuclear, electric and "other".
Cynthia James is a CISSP (Certified Information Systems Security Professional) and frequent presenter for the TABD group at Kaspersky Lab, global provider of cybersecurity solutions. With 9 years of experience in the cybersecurity space, Cynthia is a regular speaker on the subject and has authored a book on cybercrime: “Stop Cybercrime from Ruining Your Life".
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdfFas (Feisal) Mosleh
NERC CIP outline for energy utilities. The growing energy sector must understand how to improve its critical infrastructure protection as outlined by the NERC CIP standards in North America.
https://youtu.be/EbFj7I_K37Q
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
Federal agencies are moving their industrial control systems (ICS) from operational business networks to separate, dedicated networks in order to enhance security. However, without a system to test the new equipment and software coming into these separate networks, security risks will persist. This paper explores the impact on security of instituting a sanctioned ICS test lab and recommends best practices for setting up and operating these labs.
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesCoreTrace Corporation
Whitepaper Abstract
Securing our nation's critical power infrastructure has never been more important. Utilities systems are vulnerable to cyber threats, which can be malicious attacks from hackers or terrorists, as well as unintentional damage done by employees.
In response, industry regulators have implemented a number of regulations and standards to address these weaknesses and ensure the continued safe and reliable generation of electricity.
This NetSpi whitepaper discusses the options — including application whitelisting — that are available to harden critical systems and meet key regulatory requirements. In particular, the paper identifies options for addressing NERC Critical Infrastructure Protection standards CIP-002 through CIP-009.
Advanced Solutions for Critical Infrastructure ProtectionEntrust Datacard
The document discusses how utilities can comply with NERC CIP standards for critical infrastructure protection. It recommends using multifactor authentication, such as smart cards with PINs, for physical and logical access to critical systems. An authentication platform should support revoking access quickly, migrating between authenticators, and auditing credential issuance. FIPS 201 smart cards combined with workflow management can help utilities simplify NERC CIP compliance. Entrust offers an integrated platform to issue various authenticators and manage physical and logical access control according to the standards.
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
Mobile operators have invested billions in LTE networks, while security breaches and service disruptions have risen and exposed the new vulnerabilities of this all-IP network and risk the high service standards and reputation so carefully constructed. Since it costs far less for a hacker to attack a mobile network than for an operator to protect against every foreseeable threat, operator must balance business risk against infrastructure investment and rightfully demand fact-based analysis of the options. How can an operator realistically weigh the business value of deploying a new security element in such a rapidly changing and uncertain environment?
This brief from Stoke provides a methodology with illustrative examples for quantifying the risk vs. the cost of securing the S1. The brief combines groundbreaking research from Ponemon Institute, with data from well publicized LTE incidents and applies them to a representative operator scenario to estimate the financial impact of a security breach and network outage.
This document discusses how applying process safety best practices can improve operational technology (OT) cybersecurity. It outlines the five independent protection layers (IPLs) for process safety - inventory and configuration management, automatic process controls, human intervention, safety instrumented systems, and physical protection. Applying best practices to each IPL layer improves OT cybersecurity by making any operational changes from cyber attacks more apparent so they can be addressed quicker. Effective configuration management and change control are especially important, as the Stuxnet attack showed how undetected changes could damage equipment over time. Overall, following process safety practices enhances control performance, alarms, interfaces, and system resilience while countering modern cyber threats.
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
This paper deals with the inevitable consequence of the convenience and efficiency we benefit from the open, networked control system operation of safety-critical applications: vulnerability to such system from cyber-attacks. Even with numerous metrics and methods for intrusion detection and mitigation strategy, a complete detection and deterrence of internal code flaws and outside cyber-attacks has not been found and would not be found anytime soon. Considering the ever incompleteness of detection and prevention and the impact and consequence of mal-functions of the safety-critical operations caused by cyber incidents, this paper proposes a new computer control system architecture which assures resiliency even under compromised situations. The proposed architecture is centered on diversification of hardware systems and unidirectional communication from the proposed system in alerting suspicious activities to upper layers. This paper details the architectural structure of the proposed cyber defensive computer control system architecture for power substation applications and its validation in lab experimentation and on a cybersecurity testbed.
This document provides an overview of network security concepts. It begins by stating the goals of network security are to protect confidentiality, maintain integrity, and ensure availability. It then discusses common network security vulnerabilities and threats that can arise from misconfigured hardware/software, poor network design, inherent technology weaknesses, end-user carelessness, or intentional end-user acts. The document also covers the need for network security due to increased connectivity from closed to open networks and differentiates between open versus closed security models. It emphasizes striking a balance between security and user productivity.
Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...Flexera
Tucson Electric Power (TEP) provides power to over 400,000 customers and promotes renewable energy. To improve security and meet NERC compliance standards, TEP recognized the need to upgrade systems. TEP's IT Security team relied on multiple sources to obtain security updates. TEP chose Secunia's Vulnerability Intelligence Manager to gain a central location to find vulnerabilities across its systems and remain compliant with NERC standards. The manager automates vulnerability notification and assessment processes, reducing manual effort for security teams.
Daniel Ehrenreich, BSc. is a leading Industrial Control System (ICS) expert and acting as consultant and lecturer at Secure Communications and Control Experts (SCCE) consulting entity, based in Israel.
Periodically conducting workshop sessions via Internet and in person for educating international participants on ICS cyber security risks and defense measures for a broad range of ICS verticals.
Studied CISSP in 2014 and is certified as a Lead Auditor for the ISO 27001-2013 standard by the Israeli Institute of Standards.
Daniel has over 30 years of engineering experience with ICS for: electricity, water, oil and gas and power plants as part of his activities at: Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security.
Reselected as the Chairman for the 6th ICS Cybersec AI&ML 2021 hybrid conference, organized by People and Computers.
This document discusses safety standards for critical systems and proposes a new concept called Assured Reliability and Resilience Level (ARRL). It notes that while safety standards aim to reduce risk, their requirements differ across domains. The document argues that Safety Integrity Levels (SIL) alone are not sufficient and that Quality of Service is a more holistic criterion. It also notes standards provide little guidance on composing systems from components. The ARRL concept aims to address these issues and complement SIL by considering factors like component trustworthiness and fault behavior. The document suggests ARRL could help foster cross-domain safety engineering.
Power plants are increasingly monitoring equipment using internet-connected systems, but this connectivity also increases cybersecurity risks. A computer virus once infiltrated a US power plant network through an infected USB drive, shutting down the plant for three weeks. To address such risks, the US Federal Energy Regulatory Commission proposes strengthening cybersecurity standards for power grids, including expanding protections to more assets and implementing new security controls. However, many control systems still use outdated software and operating systems without adequate protection.
This document discusses the emergence of industrial malware like Stuxnet, mitigations against such malware, and relevant security standards. It provides a case study of Stuxnet, describing how it spreads and causes damage. It then outlines various mitigation strategies like secure enclaves, patch management, application whitelisting, and firewalls. Finally, it discusses standards from organizations like NERC, NRC, DHS, and ISA.
Similar to Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance (20)
Microsoft has tacitly declared that the default ‘status-quo’ security model for Windows simply isn't enough. With Windows 7, Microsoft has introduced new technology, dubbed AppLocker, that further legitimizes application whitelisting as the anti-malware approach of the future.
But does the technology, as delivered from Microsoft, have what it takes for IT administrators to give it true enterprise-wide adoption?
This paper, written by Jeremy Moskowitz, MCSE, MCSA, Microsoft Group Policy MVP and Chief Propeller-Head for Moskowitz, Inc, helps IT Practitioners and IT Managers learn:
How to implement and leverage AppLocker to perform application whitelisting,
The limitations inherent within AppLocker, and
How other tools — like BOUNCER by CoreTrace — can fill in the gaps that AppLocker leaves.
Whitepaper Abstract
This white paper explains why application whitelisting is being rapidly adopted as a security and control solution for control systems.
In three major sections, the paper:
Provides a detailed perspective on how application whitelisting technology works.
Discusses the use and benefits of whitelisting technologies in control system and Energy environments.
Explains how the technology is adapting to function in environments where controlled software changes are needed.
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Corporation
Whitepaper Abstract
This white paper explains why application whitelisting is being rapidly adopted as a security and control solution for SCADA systems.
In three major sections, the paper:
Provides a detailed perspective on how application whitelisting technology works.
Discusses the use and benefits of whitelisting technologies in SCADA and Energy environments.
Explains how the technology is adapting to function in environments where controlled software changes are needed.
Whitepaper Abstract
The Payment Card Industry (PCI) computer systems are continually under attack due to the importance of the information they protect. In response to this threat, the PCI has produced an excellent series of process and security tool requirements known as the Data Security Standard (DSS). The DSS identifies a series of principles and accompanying requirements that are critical to the integrity of the industry's computer systems.
This paper outlines relevant PCI DSS requirements and discusses how BOUNCER by CoreTrace provides an elegant solution for meeting many of the requirements — in any PCI environment with sensitive data, from large servers processing thousands of transactions to small kiosks in the mall.
Whitepaper Abstract
Any technology investment today must have an attractive ROI. This paper demonstrates the ROI associated with implementing the leading application whitelisting solution, BOUNCER by CoreTrace. Using a 500-server example, the paper outlines the various levers that generate a rapid and significant ROI. Not only does BOUNCER provide dramatically improved endpoint security, it does so at a significant savings of $938,085 over Endpoint Security 1.0 solutions — a savings of $846 per-server per-year. Moreover, the BOUNCER implementation is forecasted to pay for itself in less than 10 months.
Whitepaper Abstract
Some malware threats are simply nuisances, and then there are truly dangerous and malicious ones. In the latter category, buffer overflow attacks and rootkits are the favorites of professional hackers. Often they are used in tandem, with a buffer overflow providing the way in and a rootkit providing a highly stealthy way to stay in.
This whitepaper explains these two threats and why traditional security approaches have been largely ineffective against them. Then the paper outlines how Endpoint Security 2.0 solutions using kernel-level application whitelisting can effectively neutralize the threats and provide greater peace of mind.
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Corporation
Whitepaper Abstract
Blacklist-based antivirus products and emergency security patches have traditionally been the core elements of Endpoint Security 1.0 strategies. Endpoint Security 1.0's failures have been well documented in the headlines: data breaches, identity theft, cyberextortion, etc. However, Endpoint Security 1.0 approaches continued for one very simple reason: the absence of a superior alternative.
Fortunately, highly secure and easily updated application whitelisting is now available to provide superior endpoint security. Application whitelisting is at the core of Endpoint Security 2.0 offerings. This whitepaper explains the fundamental motivations behind the movement to Endpoint Security 2.0 and outlines a means to compare alternatives.
BOUNCER is an endpoint security solution that helps organizations meet multiple PCI Data Security Standard requirements by enforcing application whitelists and maintaining system configurations. It protects against viruses, malware, and zero-day exploits. BOUNCER also includes a host-based firewall and monitors network access to detect policy violations. The solution secures payment systems from both internal and external threats while imposing minimal performance overhead.
Matthew Luallen, Founder and CEO of Encari, and Paul Feldman, Chairman of the Mid-West ISO, have written a whitepaper that explains how utilities attempting to meet the North American Electric Reliability Corporation "Critical Infrastructure Protection" (NERC CIP) requirements can meet both the spirit and the letter of the regulations.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
1. Malicious Software Prevention for NERC CIP-007 Compliance:
Protective Controls for Operating Systems and Supporting Applications
Matthew E. Luallen, Co-Founder, Encari
Paul J. Feldman, Chairman of the Midwest ISO, Independent Director of Western Electricity
Reliability Council (WECC)
Executive Summary
Utilities attempting to meet the North American Electric Reliability Corporation “Critical Infrastructure Pro-
tection” (NERC CIP) requirements have encountered an unexpected, but very serious conundrum in the
cyber-security realm: should they strive to meet the spirit or letter of the regulations?
The potential penalties are compelling, up to $1,000,000 per day of non-compliance per a requirement;
however, “checking the box” and simply meeting the letter of the NERC CIP requirements should not be the
primary goal. Increasing security for security’s sake should not be the goal either. All solutions must focus
on meeting the true intention of the NERC CIP requirements — the same goal that has driven investments
since the dawn of the electric infrastructure: protecting the reliability and availability of the Bulk Electric
System (BES).
Utilities could “check the box” and meet the letter of the regulations by implementing and maintaining tra-
ditional security solutions (e.g., blacklist-based antivirus, emergency security patches). However, security
teams have discovered that these solutions may not only fail to protect reliability and availability, they may
negatively impact the goals themselves. For example, on critical Process Control Systems (PCS) at the
core of the electric infrastructure, blacklist-based applications may impose unacceptable performance bur-
dens, while vulnerability patches may jeopardize stability, be delayed by the PCS vendor, or affect system
availability during application and / or system reloading.
Fortunately, there is another way to truly meet the spirit of the NERC CIP requirements: application white-
listing. Application whitelisting modifies the traditional antivirus and host security approach and turns it
180 degrees. Rather than maintaining an exponentially enlarging blacklist of detected malicious software,
this newer and more powerful technology enforces a relatively small whitelist of the authorized applications
for each system. Application whitelisting automatically eliminates all unauthorized applications by ensuring
that only approved applications can execute, including the prevention of even unknown malware.
This paper will explain why application whitelisting may serve as a compensating control for NERC CIP-
007, R3 (security patching) and solution for CIP-007, R4 (anti-malware). Application whitelisting also stops
all unknown applications from executing; therefore, depending upon installation options, the same appli-
cation whitelisting implementation may simultaneously aid utilities in meeting NERC CIP-003, R6 (change
control and configuration management).
Cyber-security of the Electric Infrastructure
Almost every aspect of American life depends on the reliable delivery of electricity — from producing goods
to saving lives, from defending the country to conducting electronic banking and commerce. Quite simply,
the electric infrastructure is one of the United States’ most critical resources and needs to be protected
as such.
1
2. The importance of the electric infrastructure is not news to utilities and regulators. Over the years, tech-
nologies and regulations have been implemented with the singular goal of ensuring the reliability and
availability of electric power through the high voltage electrical infrastructure (the Bulk Electric System or
BES). The BES grid has been architected to prevent cascading power failures and to continue function-
ing whenever one generator or transmission line fails (“N-1” failure protection). The industry has done a
remarkable job lately in dealing with these N-1 situations that are often the result of natural disasters or
some other rare event.
But what happens when there are multiple, simultaneous failures or system manipulations rather than just
one? The grid is not currently equipped to handle this situation, referred to by many as the “N-x” failure
situation. The cost of building a redundant, balanced ability to respond to this situation is prohibitive at
best, and potentially even mathematically impossible. Fortunately, the odds of a natural event or a physical
attack creating this situation have been so low that the investments weren’t warranted.
Today, nature is not the biggest concern when it comes to potential N-x situations. That distinction belongs
to cyber-attacks. Whether for extortion or terrorism, cyber-attacks against the electric infrastructure are
particularly ominous because they can easily be designed to create an N-x attack situation. Realizing this
fact, the industry and regulators have been working to create standards and implement technologies to
thwart these attempts.
The North American Electric Reliability Corporation (NERC), a self-regulatory organization that is subject
to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in
Canada, is a primary player in this effort. NERC’s mission is to ensure the reliability of the bulk power sys-
tem in North America. Specific to cyber-attacks and their ability to create N-x situations, NERC has worked
with the electric industry to create a set of requirements known as the NERC CIP (“Critical Infrastructure
Protection”) Cyber Security Standards to protect the grid’s most critical assets. Utilities throughout North
America are focused on the NERC CIP standards and reliability of the Bulk Electric System — but under
a new and evolving regime of mandatory compliance and possible fines. Philosophies of “carrot” versus
“stick” have not been fully worked out to establish a system whose focus is clearly reliability, and the dan-
ger of a compliance focus (at the possible expense of reliability) is real. Every company needs to examine
its own goals and motivations in this regard to ensure a continued focus on reliability with compliance as a
byproduct rather than THE product. While reliability and compliance can go hand in hand, the industry still
has work to do to ensure that is truly the case. In the meantime each company needs to ask the question
— “Do our budget processes, organizational structures, reward systems, and senior management actions
support a culture of reliability, or is reliability secondary to compliance. Companies must understand that
the answers to this question will drive different actions throughout the organization with ultimately different
consequences.
Security of Critical Cyber Assets: Introduction to NERC CIP-007
“Checking the box” and simply meeting the letter of the NERC CIP requirements should not be the goal.
Increasing security for security’s sake should not be the goal either. All solutions must focus on meeting
the true intention of the NERC CIP requirements and balance appropriately the delicate security model
— the same goal that has driven investments since the dawn of the electric infrastructure: protecting the
reliability and availability of electricity delivery. All stakeholders — the asset owners, customers and the
government, must contemplate a thorough understanding of the risks. The owners and the shareholders
need and deserve a fair return on their investments, the customers want to safely procure a valuable com-
modity with high reliability and low cost, while the government needs to manage risk across all 18 Critical
Infrastructures / Key Resources (CI/KR).
2
3. The NERC CIP standards provide a convenient roadmap for the assets that need controlling/protecting
from cyber-attacks, “Critical Cyber Assets” (CCA) and Non-Critical Cyber Assets (NCCA) located within an
Electronic Security Perimeter (ESP). While there are nine NERC CIP requirements, this paper focuses on
the requirements that are directly related to securing the critical process control systems at the core of the
electric infrastructure: Energy Management Systems (EMS), Distributed or Digital Control Systems (DCS),
and Plant Control Systems (PCS). The primary anti-malware requirement is located within NERC CIP-007,
and the most relevant sections associated with application whitelisting are as follows:
• CIP-007-R3: Security Patch Management: The Responsible Entity, either separately or as a compo-
nent of the documented configuration management process specified in CIP-003 Requirement R6,
shall establish and document a security patch management program for tracking, evaluating, testing,
and installing applicable cyber security software patches for all Cyber Assets within the Electronic
Security Perimeter(s).
R3.1: The Responsible Entity shall document the assessment of security patches and security
upgrades for applicability within thirty calendar days of availability of the patches or upgrades.
R3.2: The Responsible Entity shall document the implementation of security patches. In any case
where the patch is not installed, the Responsible Entity shall document compensating measure(s)
applied to mitigate risk exposure or an acceptance of risk.
• CIP-007-R4: Malicious Software Prevention: The Responsible Entity shall use Antivirus software and
other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent,
deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within
the Electronic Security Perimeter(s).
R4.1: The Responsible Entity shall document and implement Antivirus and malware prevention
tools. In the case where Antivirus software and malware prevention tools are not installed, the
Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or
an acceptance of risk.
R4.2: The Responsible Entity shall document and implement a process for the update of Anti-
virus and malware prevention “signatures.” The process must address testing and installing the
signatures.
The rest of this paper will outline how utilities can best meet these requirements — and simultaneously
improve the infrastructure’s overall security, reliability and availability — in a manner that is consistent with
the operational reality of control systems.
Unique Operational Realities of Critical Control Systems
Any discussion about the security of control systems must begin with an understanding of the realities of
these critical implementations — realities that traditional security solutions simply cannot handle. While the
list is long, there are four major challenges that deserve mention:
1. Many control systems are iso¬lated and not always connected to the Internet; therefore, the systems
are unable to consistently download the latest antivirus signatures or patches, leaving them vulner-
able even to known attacks.
3
4. 2. Most control systems cannot be rebooted or can only be rebooted at specific times in very tight
maintenance windows, making unplanned installations of operating system or application patches
infeasible.
3. Control systems generally have limited memory and hardware resources available making them un-
able to handle the performance impacts of resource-hungry security applications, including black-
list-based antivirus.
4. Many security systems today are running on older operating systems that are no longer supported
and for which patches are no longer created.
As a real world example, a global energy company headquartered in the northeast USA, was concerned
about the use of blacklist-based antivirus solutions on the execution of real-time applications for its power
generating plant control systems’ operations. The company’s Critical Cyber Assets include operator inter-
faces (a.k.a. Human Machine Interfaces or HMI) in the DCS/PCS environment that are critical to reliable
and safe operation of their assets and data historians. While a typical energy management (a.k.a. Super-
visory Control and Data Acquisition or SCADA) system used by utilities for control of electricity production
and delivery over large geographic areas can tolerate two second status and ten second analog updates,
acceptable HMI operations in a generating plant environment are based on a one second maximum re-
sponse time and refresh rate. Operational testing on a plant data historian demonstrated that blacklist-
based applications imposed an unacceptable burden on response time and refresh rates through higher
processor loading and additional network traffic between the control system cyber assets. Additionally,
the generating company’s stringent uptime standards made unplanned patches — especially those that
required rebooting — unfeasible. The company was also concerned that automatic delivery of blacklist sig-
nature updates over the Internet or Intranet poses risk to application reliability and requires opening ports
in firewalls that pose a threat to the security of the generating plant cyber assets; management of these
risks requires additional resources.
In the end, traditional solutions can be implemented to simply meet the “check boxes” of the requirements,
but utilities are forced to choose between various suboptimal outcomes when they do. These outcomes
may include increased management costs, impacted performance and availability, and a false sense of
security. Specifically:
• CIP-007, R3 Compliance: Patch management systems can meet the requirement if managed and
implemented correctly on a consistent on-going basis using defined and approved procedures.
• CIP-007, R4 Compliance: Antivirus solutions can meet the requirement if managed and implement-
ed correctly on a consistent on-going basis using defined and approved procedures.
• Performance Impacts: Blacklist scans impose an unacceptable performance burden on these criti-
cal systems — this is especially the case on older systems with limited resources.
• System Availability: Control systems’ high availability is jeopardized by patches that require the
rebooting of systems during normal operating hours.
• Complexity Risk: Even if patch management and traditional antivirus solutions are perfectly imple-
mented, the fact that they introduce an element of continued implementation complexity versus al-
ternatives is an added risk.
• False Sense of Security: Blacklisting solutions are ineffective against unknown, zero day and tar-
geted malware, rootkits and most memory attacks. Systems without consistent connectivity may be
exposed to even known threats if signatures are not updated or patches have not been applied. Out-
4
5. of-support legacy systems (for which patches will never be available) will remain unprotected against
even known vulnerabilities.
Even in the face of this daunting list of operational inconsistencies, utilities would still implement traditional
security solutions if they were highly effective at securing systems or if they were the only option to meet
the NERC CIP requirements. The reality is that they are neither. Security professionals (and even the antivi-
rus vendors themselves) agree that blacklisting is no longer sufficient to defeat today’s threats. Blacklisting
cannot address whole classes of malware threats and attacks (e.g., zero-day exploits, targeted attacks,
memory exploits, rootkits, etc.) and independent tests show blacklisting solutions’ detection rates con-
tinue to drop. An alternative approach exists – Cyber Asset Application Whitelisting.
Why Cyber Asset Application Whitelisting is a Viable Solution
Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than main-
taining an exponentially enlarging blacklist of known malicious software, this new and powerful technology
enforces a relatively small whitelist of the authorized applications for each computer. By ensuring that only
approved applications can execute, application whitelisting automatically eliminates all unauthorized ap-
plications — including even unknown malware. This approach meets the actual intention of the NERC CIP
requirements: preventing all unauthorized applications from executing on Critical Cyber Assets.
While this paper is not intended to explain all of the technical intricacies of how application whitelisting
solutions work, leading solutions are built on two fundamental principles. First and foremost, the solutions
are designed to enforce a relatively small list of known and approved applications rather than chase a huge
and exponentially growing list of detected malware. For instance, to protect your home would you rather
issue house keys to all family members and friends that are allowed access (whitelist) or define restric-
tions for each individual in the world that is not allowed access (blacklist)? This paradigm shift occurred
in the mid 1990’s for firewall technology as entities began implementing “deny by default” firewall rules
implemented for the past five years leveraging the whitelisting model. The solution must also be designed
to easily handle the addition of new applications or updates without increasing management overhead or
requiring any changes to the company’s existing operational approaches.
For application whitelisting to enforce a list of known and approved applications, each of the following
must occur. The solution must have a way of building or acquiring the whitelist of applications for any given
computer — preferably from the computer itself since no two computers are alike. Also, the solution must
securely and efficiently enforce the whitelist on the computer. And finally, the solution must have the abil-
ity to report any attempts to violate the security policies it is enforcing. These three capabilities together
provide the security required to protect the computer, while at the same time reporting on system status.
The whitelist enforcement mechanism is best deployed in the form of a tamper-proof client installed on
each computer or endpoint. It is crucial that local users or malicious programs cannot circumvent the en-
forcement provided by this engine, so the client must function in the operating system itself. Through tight
integration with the operating system, the solution is able to protect the system and have the greatest ef-
ficiency — it essentially functions as part of the operating system rather than an add-on security feature.
From within the operating system, the client reads in the whitelist, and ensures that only those applications
on the whitelist are allowed to run. This process begins during boot time when the operating system is
starting, and then checks all executables that load to ensure they are authorized. The client only performs
checks when a new application or process attempts to start, so the ongoing performance impact is im-
perceptibly low compared to blacklist antivirus scans. It is paramount that asset owners work with control
system vendors to include this type of capability directly in to the control system software and/or hardware.
5
6. Control system vendors of IEDS, RTUs, Relays, Synchrophasors and other hardware and software need to
ensure that their future systems are protected by default — application whitelisting is an excellent step in
the correct direction.
Application whitelisting solutions also monitor activity to aid in NERC CIP-007, R6 compliance. For ex-
ample, a solution can log attempts to overwrite protected applications on the computer or attempts to
run unauthorized applications. The solution can also periodically remove all unauthorized applications that
may have been copied to the Cyber Asset, ensuring the pristine condition of the Cyber Asset is main-
tained. Compliance reports can show the system configuration has been maintained and any unauthorized
executables that have been removed thereby providing supporting evidence that is necessary for NERC
CIP-003, R6.
Addressing another one of application whitelisting’s fundamental principles, an application whitelisting
solution must be able to automatically — without requiring real-time IT involvement — update the whitelist
whenever new applications are added or existing ones are upgraded. Even in a controlled environment like
energy systems, the Cyber Assets must eventually be updated with newer applications or patches. Some
of these requirements are driven by compliance and company policies, while others are required to imple-
ment new functionality.
Innovative whitelisting solutions allow authorized change while still maintaining security on the Cyber As-
set. The term being applied to this process is “Trusted Change”. All trusted change is built on this simple
concept: IT establishes multiple “sources of trust” from which users and Cyber Assets can install applica-
tions or upgrades. As long as the users and Cyber Assets receive the applications or upgrades from these
trusted sources, the applications or upgrades can be automatically added to the whitelist without any addi-
tional IT involvement. The additions are transparent and friction-free. Examples of trusted sources include
trusted applications, trusted digital signatures, trusted updaters, and even trusted users.
By preventing all unauthorized applications and malware from executing, application whitelisting simulta-
neously serves as a compensating control for NERC CIP-007, R3 and a solution for CIP-007, R4 in a way
that also increases security and protects the availability / reliability of electricity delivery. Specifically:
• CIP-007, R3 Compliance: By preventing the execution of malware — including those that are de-
posited via vulnerabilities that haven’t been patched or via memory-based attacks like DLL injections
— application whitelisting is a compensating control until the PCS vendor approved security patches
are installed during regular maintenance windows.
• CIP-007, R4 Compliance: Application whitelisting may currently meet CIP-007, R4 (since it is clearly
an anti-malware solution) or it may be considered a compensating control (since it eliminates all un-
authorized applications from executing).
• Security: Application whitelisting, or deny by default, is far more effective than blacklisting because
it prevents all malware, whether known or unknown. Leading versions stop rootkits and prevent
memory attacks like DLL injections and attempts to write to kernel memory as well. Additionally, ap-
plication whitelisting provides protection for out-of-support legacy Cyber Assets for which patches
will never be available.
• Performance Impacts: Since the whitelists are relatively small and only run when an application at-
tempts to execute, the performance impact is imperceptible.
• System Availability: Control systems’ high availability is protected because the Cyber Assets are not
required to be rebooted during normal operating hours.
6
7. Application Whitelisting Aids in Complying with NERC CIP-003, R6 and CIP-007, R6
While the bulk of this paper has been focused on meeting the true intention of NERC CIP-007 R3 and R4,
preventing the execution of any malware, the reality is that application whitelisting prevents the execution
of all unauthorized applications — not just malicious ones. Unauthorized applications are a focus of NERC
CIP-003, R6:
• CIP-003, R6: Change Control and Configuration Management: The Responsible Entity shall establish
and document a process of change control and configuration management for adding, modifying,
replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configu-
ration management activities to identify, control and document all entity or vendor related changes
to hardware and software components of Critical Cyber Assets pursuant to the change control pro-
cess.
Application whitelisting may aid in stopping a non-compliant, unapproved activity pursuant to CIP-003,
R6 by providing attempted change detection and actual execution restriction of unauthorized applications.
Application whitelisting solutions also typically include baselining and reporting to aid in the generation of
evidence pursuant to CIP-007, R6 Security Status Monitoring:
• CIP-007, R6: Security Status Monitoring: The Responsible Entity shall ensure that Cyber Assets
within the Electronic Security Perimeter, as technically feasible, implement automated tools or orga-
nizational process controls to monitor system events that are related to cyber security.
Any identified security event may be a result of poorly defined procedures and executed practices of change
control and configuration management or actual attempted Cyber Asset manipulation that should be man-
aged and escalated according to an entities CIP-008 Cyber Security Incident Response Plan (CSIRP).
Other benefits of application whitelisting in lieu of blacklisting for control system host computers include:
• Eliminate the need to test and update blacklist signatures per CIP-007, R4.2.
• Control system hosts need not be continuously connected to an external network to maintain a high
degree of protection against malware.
• The application environment for control system hosts is relatively static after initial Cyber Asset com-
missioning. The use of application whitelisting requires minimal management resources compared to
blacklisting.
Conclusion
In addition to superior protection against even zero-day attacks, application whitelisting is gaining a fol-
lowing because it addresses the operational realities associated with control system implementations that
blacklist-based solutions cannot. First, application whitelisting continues to provide protection without
requiring signature or patch updates, so it can function in Cyber Assets that are not connected to the
Internet. Second, whitelist-protected control systems remain online until regularly scheduled maintenance
windows, instead of requiring downtime for emergency vulnerability patches. Third, application whitelisting
solutions typically do not impact control system performance — a significant advantage over resource-
hungry security applications like blacklist-based antivirus. Fourth, resource requirements for management
of application whitelisting for control system hosts is minimal compared to blacklisting because of the
7
8. relatively static application environment in power plant control systems. And finally, leading application
whitelisting solutions provide protection for control systems that are built on older, unsupported operating
systems for which no patches are available.
For all of these reasons, application whitelisting is a solid option for utilities trying to secure control sys-
tems, to meet NERC CIP requirements, and to protect the overall availability and reliability of the BES in
North America.
Information Note: The views expressed in this paper are the authors’ own and not necessarily associated
with any organization that the authors serve in Board, Client, or Advisory Board roles.
8