UNCLASSIFIED1

Cyber Security Over TimeGridSecCon 2013

Office of Energy Infrastructure SecurityOctober 16, 2013

UNCLASSIFIED

Global Internet Usage

Estimated that there are approximately 3 Billion users worldwide as of September 2013

2

UNCLASSIFIED

Setting the Stage - Motivation

With 3 Billion users in the world it is impossible to know what motivates people to do certain things.

3http://www.outsmarthormones.com/2010/12/22/cold-boost-metabolism/

UNCLASSIFIED

The Odds - Few Against the Many

At Thermopylae in the late Summer of 480 B.C., Leonidas, the Spartan king, held out for three days with a mere 300 Hoplites against thousands of Persian fighters led by King Xerxes.

4http://northtexasdrifter.blogspot.com/2013/09/leonidas-and-battle-at-thermopylae.html

UNCLASSIFIED

Today –Few Against the Many

Defending the onslaught: Skill, Tools, Imagination

5

http://www.theorange.co/animation-of-global-internet-usage-based-on-the-time-of-day/

http://www.public.navy.mil/fltfor/cyberfor/Pages/MISSION%20STATEMENT.aspx

UNCLASSIFIED

Defense – A Dynamic Posture

6http://warm-oolong-tea.blogspot.com/2013/01/americas-pacific-maginot-line-advantage.html

Past success should not be the basis for future defense

The Maginot Line relied on past engagements and assumptions for success

The Attackers adapted to the defenses and executed a work around

As a defender, always expect the unexpected

UNCLASSIFIED

Intelligence, Creativity, Skill

The attacker gathered intelligence of how the defenses were deployed and operated

Creative strategy to leverage gathered intelligence Skill to adapt tools,

tactics, and procedures Defense requires this

same mindset

7http://lostimagesofww2.com/photos/places/maginot-line.php#

UNCLASSIFIED8

Hack and Destroy!

UNCLASSIFIED9

State of the Union – July 2013

UNCLASSIFIED

Dynamic Approach to Security

September 2012 – Chairman Wellinghoff created the Office of Energy Infrastructure Security (OEIS) separated from compliance (more detail later) to quickly adapt to changing threats

OEIS Staffed December 2012 – currently 18 Why? Share lessons learned, strategies, and

practices for cyber and physical security …– Private Sector / Trade Organizations / Associations …– Government / Academia / ISACs…– Vendors / Researchers …

10

UNCLASSIFIED

OEIS – Primary Sectors of Focus

Electric (generation, transmission, distribution) Hydro-electric (non-federal) Oil and Natural Gas pipelines (interstate) Liquefied Natural Gas

11

UNCLASSIFIED

OEIS: A Unique FERC Office

OEIS is non-regulatory and its mission does not include compliance or enforcement actions

All OEIS staff is PCII certified Team with our public and private partners to share

information, techniques, and lessons learned Perform analysis of the cyber and physical threats

– Monitor classified and open source information– Provide threat briefings to partners (government/private) at

the appropriate classification level upon request

12

UNCLASSIFIED

Cyber security, a holistic approach– Lessons learned beyond scope NERC CIP (for electric)– Internet to field devices and everything in-between (all

connectivity)– Architecture reviews (anonymously performed)

Reviews already performed Positive feedback

Physical Security– EMP, GMD, EMI, and Sabotage– Physical security reviews (anonymously performed)– Modeling for significant node identification (for electric)

OEIS: A Unique FERC Office (cont’d)

13

UNCLASSIFIED

OEIS: A Unique FERC Office (cont’d)

Technical input to NIST Cyber Framework development

Provide Subject Matter Expertise to support Commission offices

Understand interdependencies between all critical sectors and leverage lessons learned

14

UNCLASSIFIED15

Questions

Barry KuehnleFederal Energy Regulatory CommissionOffice of Energy Infrastructure Security

301-665-1139barry.kuehnle@ferc.gov

* The content in this brief are my views and may not represent the views of the Commission