Cyber Security Over Time - NERC - 20131016...UNCLASSIFIED The Odds - Few Against the Many At...
Transcript of Cyber Security Over Time - NERC - 20131016...UNCLASSIFIED The Odds - Few Against the Many At...
UNCLASSIFIED1
Cyber Security Over TimeGridSecCon 2013
Office of Energy Infrastructure SecurityOctober 16, 2013
UNCLASSIFIED
Global Internet Usage
Estimated that there are approximately 3 Billion users worldwide as of September 2013
2
UNCLASSIFIED
Setting the Stage - Motivation
With 3 Billion users in the world it is impossible to know what motivates people to do certain things.
3http://www.outsmarthormones.com/2010/12/22/cold-boost-metabolism/
UNCLASSIFIED
The Odds - Few Against the Many
At Thermopylae in the late Summer of 480 B.C., Leonidas, the Spartan king, held out for three days with a mere 300 Hoplites against thousands of Persian fighters led by King Xerxes.
4http://northtexasdrifter.blogspot.com/2013/09/leonidas-and-battle-at-thermopylae.html
UNCLASSIFIED
Today –Few Against the Many
Defending the onslaught: Skill, Tools, Imagination
5
http://www.theorange.co/animation-of-global-internet-usage-based-on-the-time-of-day/
http://www.public.navy.mil/fltfor/cyberfor/Pages/MISSION%20STATEMENT.aspx
UNCLASSIFIED
Defense – A Dynamic Posture
6http://warm-oolong-tea.blogspot.com/2013/01/americas-pacific-maginot-line-advantage.html
Past success should not be the basis for future defense
The Maginot Line relied on past engagements and assumptions for success
The Attackers adapted to the defenses and executed a work around
As a defender, always expect the unexpected
UNCLASSIFIED
Intelligence, Creativity, Skill
The attacker gathered intelligence of how the defenses were deployed and operated
Creative strategy to leverage gathered intelligence Skill to adapt tools,
tactics, and procedures Defense requires this
same mindset
7http://lostimagesofww2.com/photos/places/maginot-line.php#
UNCLASSIFIED
Dynamic Approach to Security
September 2012 – Chairman Wellinghoff created the Office of Energy Infrastructure Security (OEIS) separated from compliance (more detail later) to quickly adapt to changing threats
OEIS Staffed December 2012 – currently 18 Why? Share lessons learned, strategies, and
practices for cyber and physical security …– Private Sector / Trade Organizations / Associations …– Government / Academia / ISACs…– Vendors / Researchers …
10
UNCLASSIFIED
OEIS – Primary Sectors of Focus
Electric (generation, transmission, distribution) Hydro-electric (non-federal) Oil and Natural Gas pipelines (interstate) Liquefied Natural Gas
11
UNCLASSIFIED
OEIS: A Unique FERC Office
OEIS is non-regulatory and its mission does not include compliance or enforcement actions
All OEIS staff is PCII certified Team with our public and private partners to share
information, techniques, and lessons learned Perform analysis of the cyber and physical threats
– Monitor classified and open source information– Provide threat briefings to partners (government/private) at
the appropriate classification level upon request
12
UNCLASSIFIED
Cyber security, a holistic approach– Lessons learned beyond scope NERC CIP (for electric)– Internet to field devices and everything in-between (all
connectivity)– Architecture reviews (anonymously performed)
Reviews already performed Positive feedback
Physical Security– EMP, GMD, EMI, and Sabotage– Physical security reviews (anonymously performed)– Modeling for significant node identification (for electric)
OEIS: A Unique FERC Office (cont’d)
13
UNCLASSIFIED
OEIS: A Unique FERC Office (cont’d)
Technical input to NIST Cyber Framework development
Provide Subject Matter Expertise to support Commission offices
Understand interdependencies between all critical sectors and leverage lessons learned
14
UNCLASSIFIED15
Questions
Barry KuehnleFederal Energy Regulatory CommissionOffice of Energy Infrastructure Security
* The content in this brief are my views and may not represent the views of the Commission