Jim Girouard, Sr. Product Development Manager at Worcester Polytechnic Institute, outlines the growing menace of cyber attacks on utility companies and how to educate yourself to reduce risk.
Webinar - Reducing the Risk of a Cyber Attack on Utilities
1. Reducing the Risk of a Cyber
Attack on Utilities
Jim Girouard, Sr. Product Development Manager
Corporate and Professional Education
2. About WPI
Fully accredited, non-profit, top quartile
national university*
Founded in 1865 to teach both “Theory and
Practice”
Robust Computer Science, Power Systems
Engineering and Business Departments
DHS/NSA Designated Center of Excellence
in Information Security Research
*U.S. News and World Report
3. Today’s Dialogue –
Cybersecurity Education
Outline:
– The Growing Menace
– New vulnerabilities due to Smart Grid Technology
– National Framework for Cybersecurity Workforce
Education
– Essentials of a cyber security education program
– How to craft a customized education program
– Discussion
9. Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
10. Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
11. Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
12. Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
13. Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
• Returns recording of normal operation to operators
14. Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
• Returns recording of normal operation to operators
• Successfully destroyed ~1,000 centrifuges.
15. Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
• Returns recording of normal operation to operators
• Successfully destroyed ~1,000 centrifuges. 30% of capacity
• Source code available on web for $150K
17. Black Energy
PowerSource
• Also a Virus, Worm and Trojan
• Reported in October 2014 but could have been around in 2011
• Suspected Country of Origin: Russia
• Infects Human-Machine Interfaces including: GE Cimplicity,
Seimens WinCC and Advantech/Broadwin WebAccess
• Attempts to damage, modify, or otherwise disrupt the victim
systems’ control processes
• Modular and difficult to detect
18.
19. ICS-CERT 2014 Annual Report
• 245 Incidents Reported, including:
– Unauthorized access and exploitation of internet
facing SCADA
– Exploitation of zero-day vulnerabilities
– Infections within “air gapped” control networks
– SQL injection and exploitation
– Network Scanning
– Watering hole attacks
– Spear-phishing campaigns
23. Anatomy of a Sophisticated
Cyber Attack
Domain Knowledge
Physical
Attack
Cyber
Attack
24. Anatomy of a Sophisticated
Cyber Attack
Domain Knowledge
Physical
Attack
Cyber
Attack
25. “There are two types of companies. Those that have
been attacked and those that don’t know it yet”
Scott Aaronson, Senior Director
Edison Electric Institute
26. All Other
Personnel
MIS & IT
Professionals
Resiliency
via secure
software
design
Resiliency
via several barrier
defense
strategies
Intrusion
Detection
ForensicsSoftware
Engineers
Cyber Defense Roles
to prevent, detect and effectively respond
Human Firewall
Training
Executive Response
Training
Graduate
Cyber-CS
Education
Certifications,
Professional
Development
&
Graduate Cyber-
CS Education
30. The National Cybersecurity
Workforce Framework*
30
* http://csrc.nist.gov/nice/framework/
• Issued by the National Initiative for Cybersecurity Education (NICE)
• Provides a common lexicon for cybersecurity work.
• A collaboration of federal agencies, academia and general industry.
• Constructed of “Categories” and “Specialty Areas” to group similar types of
work.
• Provides tasks, knowledge, skills, and abilities (tKSAs) within each area.
• Version 2.0 is currently being drafted
33. National Cybersecurity
Workforce Framework
33
Category Specialty Areas Include:
Securely Provision
Systems Security Architecture Secure Acquisition
Software Assurance and Security Engineering
Test and Evaluation Systems Development
Operate and Maintain System Administration Network Services Systems Security Analysis
Protect and Defend
Incident Response Computer Network Defense Analysis
Vulnerability Assessment and Management
Investigate Digital Forensics Cyber Investigation
Collect and Operate Federal Government Role
Collection Operations Cyber Operations and Planning
Cyber Intelligence Exploitation Analysis / Targets / Threat AnalysisAnalyze
Oversight and
Development
Legal Advice and Advocacy Security Program Management
Strategic Planning and Policy Development
Training, Education and Awareness Knowledge Management
36. What to Look For:
Accreditations
Computer Science Engineering
Business Whole University
37. What to Look For:
Domain Knowledge
For example, at WPI:
NSA/DHS Designated Center of Excellence
Core Faculty Performing Current Research
• Trusted Computing Platforms
• Algorithms & Architectures for Cryptography
• Analysis of Access-Control and Firewall Policies
• Wireless Network Security
• Cyber-Physical System Security
Power Systems Engineering – Utility technology, systems, equipment &
culture
38. What to Look For:
Program Tailored to Your Needs
The Framework is Generic
To Maximize Your ROI, your
program must be relevant:
• Address your unique requirements.
• Address SCADA vulnerabilities
• Include NERC CIP
• Provide utility-based examples/case studies
• Be convenient for your students
39. Timeline to a Customized Program
The WPI Process:
Identify
Customer Needs
Create Learning
Objectives
Meet with
Executive
Sponsor
Go/
NoGo
40. Effective Learning Objectives
“ As a result of this course, the student will be able
to …”
Verbs to Use Verbs to Avoid
Explain, estimate, design, solve,
prepare, detect, assess, determine,
infer, illustrate, complete, operate,
employ, rank, test, visualize, lead, etc.
Appreciate, Understand, Learn,
Cover, Believe, Study,
Comprehend, etc.
41. The WPI Process:
Identify
Customer Needs
Create Learning
Objectives
Select
Instructor(s)
Meet with
Executive
Sponsor
Select Best
Delivery
Method
Develop
Customized
Curriculum
Launch
Pilot
Program
Assign Dedicated
Support Team
Survey Students
Mid End
Evaluate
Surveys with
Sponsor
Go/
NoGo
Timeline to a Customized Program
42. Courses Customized for
the Power Industry
Computer and Network
Security Including SCADA Protection
and NERC CIP Standards
Operations Risk Management
Focus on Social Media Phishing and
Embedded Malware Risks
Case Studies in Computer Security
Including Power Industry Examples
43. A Custom Graduate
Cybersecurity Program
Framework Category Courses
Securely Provision
Computer and Network Security
Software Security Design and Analysis
Operate and Maintain Computer and Network Security
Protect and Defend Intruder Detection
Investigate Digital Forensics
Collect and Operate
Government Role - Not in Program
Analyze
Oversight and
Development
Operations Risk Management
Case Studies in Computer Security
Modeled after
The National
Cybersecurity
Workforce
Framework
45. “There are known knowns, things
we know that we know; and there
are known unknowns, things that
we know we don't know. But there
are also unknown unknowns,
things we do not know we don't
know.”
- Donald Rumsfeld
46. “There are known knowns, things
we know that we know; and there
are known unknowns, things that
we know we don't know. But there
are also unkown unknowns,
things we do not know we don't
know.”
- Donald Rumsfeld
47. In Summary
Attack Mode Counter Measures
• Maintain Robust Cyber Security Infrastructure
• Maintain Physical Security Measures (NERC CIP)
• Continue Secure Process Training (Human Firewall)
known knowns
known unknowns
unknown unknowns
48. In Summary
Attack Mode Counter Measures
• Maintain Robust Cyber Security Infrastructure
• Maintain Physical Security Measures (NERC CIP)
• Continue Secure Process Training (Human Firewall)
• Evaluate Penetration Testing Results
• Perform Cyber Security Gap Analysis (DHS CSET)
• Practice Supply Chain Cyber Risk Management
• Stay Informed on Evolving Vulnerability
Assessments
known knowns
known unknowns
unknown unknowns
49. In Summary
Attack Mode Counter Measures
• Maintain Robust Cyber Security Infrastructure
• Maintain Physical Security Measures
• Continue Secure Process Training (Human Firewall)
• Conduct Penetration Testing & Analysis
• Perform Cyber Security Gap Analysis (DHS CSET)
• Practice Supply Chain Cyber Risk Management
• Stay Informed on Evolving Vulnerability
Assessments
• Prepare for “the day after”
• Perform Incident Response and Analysis - Forensics
• Develop Systems Behavior Modeling
• Invest in Continuing
Education
known knowns
known unknowns
unknown unknowns