Cyber Risk: Protecting our Critical infrastructure - … Risk: Protecting our Critical...
Transcript of Cyber Risk: Protecting our Critical infrastructure - … Risk: Protecting our Critical...
Cyber Risk: Protecting our Critical infrastructure
Sharon Chand [email protected] Advisory LLP
Brad [email protected] & Touche LLP
Executive SummaryInvestments in security are at an all-time high, yet successful cyber-attacks are still on the rise, both in number and sophistication. While today’s fast-paced technology innovation powers strategic initiatives in the Grid, it also opens new doors for cyber attackers. They target financial assets and personal data, but also intellectual property and critical infrastructure. A Secure.Vigilant.Resilient.TM approach helps companies get ahead of cyber risk so they can keep moving forward.
Agenda
Energy industry threats –the specific threats facing Energy
Trends in cyber risk –initiatives with momentum in our industries
Secure. Vigilant. Resilient™ -a holistic approach to managing cyber risk
Alternative Energy impacts –unique cyber risk impacts from alternative energy
Cyber risk is a category of business risks that have strategic, operational and regulatory implications. Cyber risk management assesses threats, vulnerabilities and its potential impact to the broader organization
Cyber Risk ≠ Cyber SecurityCyber risk and cyber security are often used interchangeably however they are two different concepts
Cyber security is a category of solutions that partially address cyber risk. Cyber security is based on the principles of confidentiality, integrity and availability
Cyber Risk
Cyber Security
Cyber Risk Impacts Energy Critical InfrastructureEnergy Critical Infrastructure provides safe and reliable Generation and Transmission
Energy Critical Infrastructure Regulated for ReliabilityRegulated for Safety, Security, and Emergency Preparedness
Cyber Threat Landscape
Social engineering
Phishing
Botnets
Exploits
Ransomware & doxxing
INFRASTRUCTURE COMPLEXITY• Endpoint diversity• Rogue devices• Co-mingled corporate / OT
assets• Unpatched OT/ICS equipment• Excessive third party access
Organized crimeWho are the actors?
What techniques do they use?
How do they get in to your environment? Suppliers
& partnersEmployees & contractors
Mobile devices
Network Access
Physical Access
Nation-state actors
How do they exploit corporate challenges?
What potential impact can they cause?
Individuals
Ideological groups
DDoSWebsite compromise
Password theft
Evasion tactics
SECURITY OPERATIONS• Lack of Secure Supply Chain• Patching and system upgrade
challenges• Physical/IT monitoring integration• Inconsistent security controls• Insufficient skills/staffing
PROCESS /GOVERNANCE• Ongoing regulatory changes• Inadequate change control
processes• Lack of business risk alignment• Lack of risk-to-asset mapping
Data loss IP theft Threat to life or safety
Operational disruption
Reputation damage
Fraud or revenue loss
Malware Targeted Zero-Days
Authorized AccessCounterfeit
Devices
How Threat Becomes Impact for Critical Infrastructure
Cyber Threats are Not MonolithicUnderstanding cyber risk starts with identifying the specific threats facing an organization, which allows us to prioritize what to secure, identify which internal controls to deploy, determine how to monitor, and decide scope of incidents for which to prepare.
IMPACTS
ACTORS
Financial Theft / Fraud
Theft of customer
data
Business disruption
Destruction of critical
infrastructure
Reputationdamage
Threats to life /safety Regulatory
Organizedcriminals
Hacktivists
Nation states
Insiders / Partners
Competitors
Skilled individualhackers
Very high High Moderate LowKEY
Energy industry sample heat map
Energy Cyber Threat Current Events
Documented high level events with public view• StuxNet jumps airgap to destructively compromise Nantanz nuclear facility• Dragonfly APT incursions against Energy providers and provider supply
chains• ShaMoon destructively compromises 30,000 platforms at Saudi Aramco• Physical attack on electrical and cyber infrastructure at PG&E 500 kV
Metcalf Substation
Emerging Vulnerabilities• Test/configuration tools and other critical infrastructure testing tools• Infrastructure vulnerabilities reported in ICS/OT/PLC Vendors weekly• Increasing vectors for Supply Chain• Internet of Things (IoT) drawing increased research for security
vulnerability
Is this starting to get real?
Data growth
Customer privacy
sensitivity
Data as an Asset
Advances in technology
Reputational risk
Regulation and
compliance
Extended enterprise
Varying customer
expectations
Evolvingstandards
Mobile devices
Advancedpersistent
threatsThird-party
service provider risk
Cloud Computing
Regulatory Requirements
Breach notification
BYOD
Foundational DriverExample of Driver or Trend
Big Data
Impact on Brand
Unique business needs in your company will change your cyber risk
Insider Threat
Business Drivers
Common Impacts Due to Cyber for EnergyIt is important to understand the actual threats for specific organizations, and sometimes for individual lines of business or support functions
Loss of rate payer or board confidence
Customer data breach
Regulatory fines
Intellectual Property theft
Impact to reliable operations
Impact to life and safety
Theft/non-technical losses
Cyber Risk TrendsPhysical & Cyber
Convergence
Governance of Cyber Risk
Cyber Risk Behavior Change
Managed Services
Availability of Cyber Professionals
Measuring the “right” things
Industrial Control System Vulnerabilities
Internet of Things
Monitoring Data
Third Party Risk Management
Reliability
Cyber RiskRegulatory Compliance
Cyber Risk and ComplianceA successful risk management strategy for critical infrastructure must understand the intersection of cyber security, regulatory compliance, and reliable operations
Deloitte’s Holistic Approach to Cyber Risk
Secure. Vigilant. Resilient. Cyber Risk is more than a technology issue and it’s about more than just security. It is a first order business risk. In a world where it is infeasible for organizations to secure all their information and assets all the time, we encourage our clients to invest in protecting their most critical assets while becoming much better at detecting attacks and responding effectively to minimize their business impact. Deloitte calls this approach Secure. Vigilant. Resilient.TM
TM
Managing, Not Eliminating, Cyber Risk
Why cyber risk cannot be fully eliminated
For these reasons, a “secure everything” approach is usually not feasible. Therefore, we advise our clients to focus not only on being secure, but on being Secure.Vigilant.Resilient™.
Business must grow and innovateThe things businesses do to innovate and grow are the very things that create or exacerbate cyber risk - e.g., adoption of new technologies, expanding into new markets, developing new client engagement/delivery models, mergers and acquisitions
People must be trustedSome of the biggest risks are related to people - both employees and business partners - whom companies must trust and rely on to operate their business every day
Sharing information is imperativeWe have connected our economy, our businesses, and our society using technologies that were fundamentally designed for sharing information, not protecting it - it is not impossible to secure information, but it is costly (in terms of both resources and business efficiency)
Secure
Take a measured, risk-based approach to what you secure and how you secure it
Vigilant
Monitor systems, applications, people, and the outside environment to detect incidents more effectively
Resilient
Be prepared for incidents and minimize their business impact
Deloitte’s Secure.Vigilant.ResilientTM approach
Cyber risk is a first order business risk that is integrally tied to performance and operations. As a result, it cannot be fully eliminated. Rather, it must be understood and managed
Alternative Energy Impacts
• Alternative Energy Providers– Larger potential surface area of attack with Distributed
Generation control networks– Internet of Things (IoT): Increased data and control
dependencies– New equipment leads to new targeted attack vectors– Smaller providers will have less ability to build and govern
security infrastructure– Supply chain risk
• Vendors– Emerging market with emerging supplier reputations– Supply chain risk
What unique cyber risk impacts does Alternative Energy bring?
1. Establish purpose and direction. Clearly articulate your cyber risk appetite and strategy. Support it by requisite action through funding and resourcing.
2. Break down silos. Cyber risk is an enterprise level issue. Lack of information-sharing is a top inhibitor for effective risk management.
3. Trust but verify. Conduct monthly or quarterly reviews about key risks and risk metrics, and address roadblocks.
4. Be creative about cyber risk awareness. Your weakest link is the human factor. Consider war-gaming, and other creative ways to raise awareness across the enterprise.
5. Educate your team. Provide targeted cyber risk training for your high risk populations to combat your high priority threats.
Key actions you need to own
Key questions you need to ask
1. Are we focused on the right things? Often said, but hard to execute. Understand how value is created in your organization, where your critical assets are, how they are vulnerable to key threats. Practice defense-in-depth.
2. Do we have the right talent? Quality over quantity. There is not enough talent to do everything in-house, so take a strategic approach to sourcing decisions.
3. Are we proactive or reactive? Retrofitting for security is very expensive. Build it upfront in your management processes, applications and infrastructure.
4. Are we incentivizing openness and collaboration? Build strong relationships with partners, law enforcement, regulators, and vendors. Foster internal cooperation across groups and functions, and ensure that people aren’t hiding risks to protect themselves.
5. Are we adapting to change? Policy reviews, assessments, and rehearsals of crisis response processes must be regularized to establish a culture of perpetual adaptation to the threat and risk landscape.
Five Actions, Five Questions for Executives
Questions?
DisclaimerThis publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2015 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited