Don't Get Hacked! Cybersecurity Boot Camp
-
Upload
energysec -
Category
Technology
-
view
1.153 -
download
2
description
Transcript of Don't Get Hacked! Cybersecurity Boot Camp
![Page 1: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/1.jpg)
NA
RU
C Don’t Get Hacked! Cybersecurity Boot Camp
Patrick C Miller, EnergySec / NESCO Bill Hunteman, US DOE
Miles Keogh, NARUC February 13 2011
NARUC Winter Committee Meetings Marriott Renaissance, Washington DC
![Page 2: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/2.jpg)
NA
RU
C Our Drill Instructors!
l Miles Keogh § Director of Grants and Research, NARUC
l Patrick C Miller § Founder, President and CEO, EnergySec § Principal Investigator, National Electric Sector Cybersecurity
Organization (NESCO) § Former Director, NERC CIP Practice, ICF International § Former Manager, WECC CIP Audits & Investigations § Corporate Security staff for several Pacific Northwest utilities § Deep roots in Telecom sector, IT and Industrial Control Systems § CRISC, CISA, CISSP-ISSAP, SSCP, CEH, CVI, NSA-IAM
![Page 3: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/3.jpg)
NA
RU
C Our Drill Instructors!
l Bill Hunteman § Chief Advisor for Cybersecurity, US Department of Energy § DOE Chief Information Security Officer (CISO) and Associate CIO
for Cyber Security § Cybersecurity Program Manager for the DOE National Nuclear
Security Administration § Worked in the Los Alamos and Sandia National Laboratories § Managed cybersecurity research and development activities § Participated in the development of national and international cyber
security criteria § Joint projects with Russia to improve cyber security in the Russian
nuclear weapons complex § Design and development of high performance computer networks
and operating systems for many of the supercomputers used by DOE (and its predecessors)
§ Bachelor or Science in Mathematics and Master of Science Electrical Engineering/Computer Science
![Page 4: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/4.jpg)
NA
RU
C What We’re Covering Today
l What’s the “Cyber” in “Cyber security?”
l What are we trying to protect?
l What threats do we face?
l What are the challenges of instituting cyber security?
l Where do the vulnerabilities within the system exist?
l What can Commissions do about it? l What are the policy structures you have
to work with?
![Page 5: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/5.jpg)
NA
RU
C What Have You Seen?
l How well do you understand the confluence of networked and traditional devices?
l Has cybersecurity come before your commission?
l What has that looked like? l What questions do you have about
cybersecurity? l Is cybersecurity a concern at your
commission?
![Page 6: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/6.jpg)
5 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Rising Cybersecurity Threats
![Page 7: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/7.jpg)
6 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
CyberWar (InfoWar)
![Page 8: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/8.jpg)
7 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Aurora
![Page 9: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/9.jpg)
8 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Night Dragon
• Recently published by McAfee
• Activity designed to obtain sensitive data from targeted organizations in global oil and energy industries…
![Page 10: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/10.jpg)
9 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Night Dragon
• Source appears to be China, but this is difficult to confirm exactly
• Began Nov 2009, possibly as early as 2007
• Techniques: – Social engineering
– Spear-phishing attacks
– Exploitation of Microsoft Windows vulnerabilities
– Microsoft Active Directory compromises
– Remote administration tools (RATs)
![Page 11: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/11.jpg)
10 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Night Dragon
• Harvesting sensitive competitive proprietary operations, and project-financing information for oil and gas field bids and operations
• Controlled systems, then cracked accounts to move to more sensitive information/systems
• Focus was on operational oil and gas field production systems and financial documents related to field exploration and bidding
• In certain cases, the attackers collected data from SCADA systems
![Page 12: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/12.jpg)
11 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Stuxnet
• First publicly disclosed control systems rootkit, but certainly wont be the last...
• USB vector; focused on “air-gapped” networks
• Highly sophisticated; infects everything, then rewrites PLC logic and hides
• Undermines integrity of control system
• Most regulations wouldn’t have stopped it
• No 100% security against determined
adversary
![Page 13: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/13.jpg)
12 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
SHODAN, ERIPP, ETC
![Page 14: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/14.jpg)
13 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
SHODAN, ERIPP, ETC
Berkeley Cyclotron HMI images
![Page 15: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/15.jpg)
14 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
There’s An App For That
• “Get mobile access to your control system via an iPhone, iPad, Android and other smartphones and tablet devices. The Ignition Mobile Module gives you instant access to any HMI / SCADA project created with the Ignition Vision Module.”
![Page 16: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/16.jpg)
15 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Public Domain
![Page 17: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/17.jpg)
16 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Only The Disclosed
![Page 18: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/18.jpg)
17 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
TwitBookBlogosphere
![Page 19: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/19.jpg)
18 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Research and Disclosure
• October 24, 2010, 12:39PM, Threat Post – SCADA Vendors Still Need Security Wake Up Call
• http://threatpost.com/en_us/blogs/scada-vendors-still-need-security-wake-call-102410
– “Please don’t waste my time”
• October 28, 2010: ICSJWG Seattle Meeting – Invensys, IOActive, ICS-CERT presented on case study on
Wonderware vulnerability
• Disclosure positions are hotly debated
![Page 20: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/20.jpg)
19 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
From Obscurity To Novelty
• Smart Meter hacking
• Hacking cookbooks
• Metasploit
• Fuzzers
• Supply chain attacks
• Manuals available in all languages on Internet
![Page 21: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/21.jpg)
20 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Shiny Object
• Shiny object for the mass media
• 60 minutes
• Wall Street Journal, National Journal, CNN
• Too many IT trade publications to name
• Blockbuster films
• Prime time television shows
• Social Media (blogosphere, Twitter)
![Page 22: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/22.jpg)
21 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Economic Drivers
• Recession economy brings unique challenges
• Decreased participation working groups and conferences
• Static or shrinking headcount; increased workload
• Insider threat increases
• Decreased spending on new equipment
• Older products extended beyond intended lifespan
• Security is expensive for customers and vendors
![Page 23: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/23.jpg)
22 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
People Problem
• Humans are the weakest link in any security system – Passwords for candy; Social engineering
• Humans are also the strongest link in any security system – The Aware Person System (APS)
– ICS culture shift is very slow, but can be very powerful
• Danger: unskilled/untrained operators of power tools can cause significant damage – Increasing complexity = training treadmill
![Page 24: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/24.jpg)
23 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
People Solution
• So you’ve bought all of the fancy cybersecurity gizmos… – What about the skilled staff to use
them?
• So you’ve put cameras in all critical sites… – What about the staff to monitor and
respond?
• An appropriate balance of skilled people and current technology must be used
![Page 25: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/25.jpg)
24 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Back In The Good Old Days
• Pneumatic, electromechanical, analog
• Telephone meant POTS or “bat phone”
• No Internet
• Less automation
• Less complexity
• Proprietary
• Long life span
![Page 26: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/26.jpg)
25 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
ICS Gen-X
• Automation, more complexity
• Internet Protocol (TCP/UDP/etc)
• Data, more data and even more data
• Processing power, memory, bandwidth = SPEED!
• Interconnected business
• Flat networks
• COTS software and hardware
• Increasingly shorter lifespans
![Page 27: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/27.jpg)
26 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Millennium Systems
• Highly digital, highly complex
• Highly interconnected, highly layered
• Bitflocking, dynamic emergent behavior
• New protocols
• New interdependencies
• Homogenization
• Innovation treadmill; constant lifespan flux
![Page 28: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/28.jpg)
27 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Bigger, Better, Faster
• ARRA and other “green” dollars are flowing
• SCADA devices now come with a flash-webserver-WiMax-mesh-ZigBee-kitchensink
• Mixing legacy and bleeding edge tech is difficult
• Logical distance between kinetic endpoint and HMI is exponentially increasing; “hyperembeddedness”
• Most (but not all) vendors put features first, security last; this will not change in the foreseeable future
![Page 29: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/29.jpg)
28 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Advantage: Attackers
• Security approaches favor new installations, legacy environments are still vulnerable
• Very difficult to replace/patch in-service devices
• Stuxnet: game changer, sets the new bar - even when sophisticated attacks aren’t necessary
• Organized crime will top Nation States and Non-Government Organizations (NGOs) as biggest threat
• Welcome to the cyberarms race
![Page 30: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/30.jpg)
29 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Cybersecurity Vocabulary
• Network
• Connectivity
• Packet
• Header
• Traffic
• Bandwidth
• Latency
• Internet Protocol
• Virus/Trojan/Malware
• Firmware
• Denial of Service
• NIST
• NERC CIP
• SCADA
• Encryption
• Credential
![Page 31: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/31.jpg)
30 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Information Technology 101
• Connectivity: how the systems talk to each other – Hub – Switch – Managed Switch – Router – Firewall – Next Generation Firewall – Workstation/Server
• What are we building for?
Device Intelligence
“dumb”
“smart”
![Page 32: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/32.jpg)
31 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Three Flavors
Business Systems Control Systems “Smart Grid”
![Page 33: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/33.jpg)
32 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Business IT Security
• Typical approach: password, firewall, anti-virus, etc • Protecting four key domains
1. Confidentiality – preventing unauthorized access to information
2. Integrity – preventing the unauthorized modification or theft of information
3. Availability – preventing the denial of service and ensuring authorized access to information
4. Non-Repudiation – preventing the denial of an action that took place or the claim of an action that did not take place
![Page 34: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/34.jpg)
33 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
What Is A Control System?
Remote Comms Master Meters Sensors Field Devices
PLC IED RTU Controller
Protocols Wired Wireless
SCADA Server HMI EMS DCS
I/O
Control Valve
M
R S M
O.L. STOP START
M
L1 L2
M
Basic Motor Control Ladder Logic
Human Machine Interface
Programmable Logic Controllers
![Page 35: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/35.jpg)
34 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
IT vs ICS Security
TOPIC Informa5on Technology Industrial Control Systems
AnA-‐Virus/Mobile Code Common, widely used Uncommon, impossible
Typical Lifespan 3-‐5 years 15-‐20 years
Outsourcing Common, widely used Rare, uncommon
Patch Management Regular, scheduled Slow, vendor-‐specific
Change Management Regular, scheduled Uncommon
Time CriAcal Content Generally delays accepted CriAcal due to safety
Availability Generally delays accepted 24 x 7 x 365 x forever
Security Awareness Good Poor, except physical
Security TesAng/Audit Scheduled, mandated Occasional, uncommon
Physical Security Secure Remote and unmanned
![Page 36: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/36.jpg)
35 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Typical Architecture
Corporate Network
Internet SCADA and other field devices
Process Control Network
Firewall
![Page 37: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/37.jpg)
36 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Smart Grid Complications
![Page 38: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/38.jpg)
37 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Smart Grid Complications
![Page 39: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/39.jpg)
38 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
What Have You Seen?
• Did cyber security appear in your filings and hearings?
• How did this fit in your list of priorities?
• What elements were most important? – Privacy?
– Reliability?
– Cost?
– Security Effectiveness?
– Upgradeability as a solution or vulnerability?
![Page 40: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/40.jpg)
39 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Threat Sources
• Inadvertent errors
• Power system equipment malfunctions
• Communication equipment failure
• Deliberate malicious acts
![Page 41: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/41.jpg)
40 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Threat Types
• Replay attacks
• Indiscretions (leaks) by personnel
• Brute force
• Bypass controls
• Man-in-the-Middle
• Denial of Service
• Resource Exhaustion
![Page 42: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/42.jpg)
41 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Nothing New Under The Sun
• Mature security practices; highly refined – Defense in Depth
– Principle of Least Privilege
– Segregation of Duties
– Need to Know
– Confidentiality, Integrity, Availability
• No Silver Bullet, 100%, Total Security
• Strong protection has never been easy, inexpensive or quick to implement
• Tradeoff between functionality and security
![Page 43: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/43.jpg)
42 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Strategies for Defense In Depth
• Governance, policy
• Authentication
• Authorization
• Admission control
• Encryption
• Integrity checking
• Auditing, detection
![Page 44: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/44.jpg)
43 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Defense In Depth: Example
• NERC CIP Standards
– CIP-002 – Critical Cyber Asset Identification
– CIP-003 – Security Management Controls
– CIP-004 – Personnel & Training
– CIP-005 – Electronic Security Perimeter(s)
– CIP-006 – Physical Security
– CIP-007 – Systems Security Management
– CIP-008 – Incident Reporting & Response Planning
– CIP-009 – Recovery Plans for Critical Cyber Assets
![Page 45: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/45.jpg)
44 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Proven Security Solutions
• Physical Protection
• Network Controls: Admission, Segmentation
• Strong ID, Authentication and Authorization
• Aware Person System (Training and Awareness)
• Intrusion Detection/Prevention
• Integrity Assurance
• Application Whitelisting
• Response and Recovery
![Page 46: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/46.jpg)
45 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
You Don’t Need a Perfect Defense
• If defensive measures can be beaten, does the system ensure the results of the attack are : – Unprofitable
– Limited in its ramifications
– Hard enough to make the “juice” not worth the “squeeze”
– Difficult to replicate
– Quickly and easily recoverable
– Traceable and easy to detect; and
– Otherwise unappealing
![Page 47: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/47.jpg)
NA
RU
C Why Your Role Is Increasing
l Increased attacks to business processes l NERC CIP compliance l The deployment of smart grid
l These are increasingly drivers for cost recovery consideration and other contexts in cases that are coming your way very soon
l Is that reflected in what you’re seeing / hearing?
![Page 48: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/48.jpg)
NA
RU
C Proposal: Roles for
Public Utility Commissions 1. Ask the right questions when considering cost
recovery of prudent utility expenditures for cyber security.
2. Assuring that cyber security requirements that utilities are subject to are being met.
§ PUC Staff need to be up-to-date on cyber security requirements and potential threats.
3. Assuring that the PUC’s computer systems and operations are subject to on-going cyber security reviews and remediation, and that disaster recovery plans are in place and tested.
§ This also included cyber security awareness for agency employees.
4. Understand and participate in regional and national efforts for protecting critical infrastructure
![Page 49: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/49.jpg)
NA
RU
C l Worth saying twice: someone at the PUC staff needs to be up-to-date on cyber security requirements and potential threats.
l Ask how security is addressed (conceptually) for each component l Don’t accept assurances that all products used were built to be secure, or that IT solutions will work for SCADA systems. Insist that vendors document & independently verify their security controls
l Use “compliance” as a floor, not a ceiling: Ask to see risk assessment documentation
l Ensure security is budgeted for and individuals are assigned responsibility
l Ensure service providers (for example, telcos, meter data processors) are included in risk assessment and provide sufficient information
l Ensure integrated security between business systems and control systems for existing grid and for smart grid
48
Cybersecurity Investments: What To Ask
![Page 50: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/50.jpg)
NA
RU
C Three examples of State action
l Pennsylvania l Missouri l New York
l PUCs don’t need to become cyber experts or enforces, but if you ask a utility a question they will return with an answer
![Page 51: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/51.jpg)
50 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Cybersecurity Requirements and Resources
• For the Bulk Power System: – The North American Electric Reliability Corporation --
Standards CIP-002 through CIP-009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection standards)
– http://www.nerc.com/page.php?cid=2|20
• For the Smart Grid: – The National Institute of Standards and Technology (NIST)
smart grid interoperability standards and specifications for inclusion in the Smart Grid Interoperability Standards Framework, Release 1.0. These include three volumes on cyber security
– http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628
• What’s Missing? – Distribution systems, serial control systems, and other gaps
![Page 52: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/52.jpg)
51 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Smart Grid Investment Grant Program
• Requires a description of how cyber security concerns will be addressed with respect to the use of best available equipment and the application of procedures and practices involving system design, testing, deployment, operations and decommissioning, including at a minimum: i. A description of the cyber security risks at each stage of the system
deployment lifecycle, ii. Cyber security criteria used for vendor and device selection, iii. Cyber security control strategies, iv. Descriptions of residual cyber security risks, v. Relevant cyber security standards and best practices, and vi. Descriptions of how the project will support/adopt/implement
emerging smart grid security standards
Source: Notice of Intent to Issue a Funding Opportunity Announcement For the Smart Grid Investment Grant Program, April 16, 2009
![Page 53: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/53.jpg)
52 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Is Smart Grid More Vulnerable?
Source: “San Diego Smart Grid Study”, October 2006
Power outages cost between $80 billion and $150 billion every year
![Page 54: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/54.jpg)
53 53
Energy Independence and Security Act o In the Energy Independence and Security Act
(EISA) of 2007, Congress established the development of a Smart Grid as a national policy goal.
o Under EISA, NIST is directed to “coordinate the development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems” as well as maintain the reliability and security of the electricity infrastructure.
![Page 55: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/55.jpg)
54
Conceptual Reference Diagram for Smart Grid Information Networks
![Page 56: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/56.jpg)
55 55
Interoperability Framework
Testing and Certification
Standards
Security Architecture and Requirements
Conceptual Reference Model
Business and Public Policy Requirements
![Page 57: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/57.jpg)
56
NIST Three Phase Plan
PHASE 1 Identify an initial set of
existing consensus standards and develop a roadmap to fill gaps
PHASE 2 Establish public/private
Standards Panel to provide ongoing recommendations for
new/revised standards
PHASE 3 Testing and Certification Framework
2009 2010 56
![Page 58: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/58.jpg)
57 57
Smart Grid – an Opportunity o Modernization provides an opportunity to
improve security of the Grid o Integration of new IT and networking
technologies n Brings new risks as well as an array of security
standards, processes, and tools o Architecture is key
n Security must be designed in – it cannot be added on later
![Page 59: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/59.jpg)
58 58
CSWG o To address the cross-cutting issue of cyber
security, NIST established the Cyber Security Coordination Task Group (CSCTG) in March 2009
o Moved under the NIST Smart Grid Interoperability Panel (SGIP) as a standing working group and was renamed the Cyber Security Working Group (SGIP–CSWG)
o The CSWG now has more than 475 participants from the private sector (including vendors and service providers), academia, regulatory organizations, national research laboratories, and federal agencies
![Page 60: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/60.jpg)
59 59
Guidelines for Smart Grid Cyber Security
o NIST Interagency Report 7628 - Augut 2010 n Development of the document lead by NIST n Represents significant coordination among
o Federal agencies o Private sector o Regulators o Academics
n Document includes material that will be used in selecting and modifying security requirements
![Page 61: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/61.jpg)
60 60
NISTIR 7628 – What it IS and IS NOT What it IS o A tool for organizations that are researching, designing,
developing, and implementing Smart Grid technologies o May be used as a guideline to evaluate the overall cyber risks to
a Smart Grid system during the design phase and during system implementation and maintenance
o Guidance for organizations n Each organization must develop its own cyber security strategy
(including a risk assessment methodology) for the Smart Grid.
What it IS NOT o It does not prescribe particular solutions o It is not mandatory
![Page 62: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/62.jpg)
61 61
!"#$%#&'()%*&+*,+$(-./01(/!!!1(/!.1(2%345
!"#$%#&'()%*&+*,+$(-./01(/!!!1(/!.1(2%345
64(7$2(.*$2(8&*9:$#$
64(7$2(.*$2(8&*9:$#$
;<%%<=(>?(*&*9:$#$-@>9&2,*A#9#%:(
39*$$2$5
;<%%<=(>?(*&*9:$#$-@>9&2,*A#9#%:(
39*$$2$5
B<?C+<D&(*&*9:$#$-#&%2,C3<=?<&2&%E(
+<=*#&5
B<?C+<D&(*&*9:$#$-#&%2,C3<=?<&2&%E(
+<=*#&5
FA4()=*,%(G,#+()%*&+*,+$8$$2$$=2&%
FA4()=*,%(G,#+()%*&+*,+$8$$2$$=2&%
F*4()23>,#%:(8,3H#%23%>,2F*4()23>,#%:(8,3H#%23%>,2
I4(.<&J<,=#%:8$$2$$=2&%I4(.<&J<,=#%:8$$2$$=2&%
K4(L#'H(M2@29()23>,#%:(
N2O>#,2=2&%$
K4(L#'H(M2@29()23>,#%:(
N2O>#,2=2&%$
P4(N#$Q(8$$2$$=2&%! /+2&%#J:(*$$2%$! R>9&2,*A#9#%#2$! BH,2*%$! /=?*3%$
P4(N#$Q(8$$2$$=2&%! /+2&%#J:(*$$2%$! R>9&2,*A#9#%#2$! BH,2*%$! /=?*3%$
0,#@*3:(8$$2$$=2&%0,#@*3:(
8$$2$$=2&%
Smart Grid Cyber Security Strategy - Tasks
![Page 63: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/63.jpg)
62 62
NISTIR 7628 Content The NISTIR includes the following
o Executive Summary
o Chapter 1 - Overall cyber security strategy for the Smart Grid
o Chapter 2 – High level and logical security architecture
o Chapter 3 – High level security requirements
o Chapter 4 – Cryptography and key management
![Page 64: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/64.jpg)
63 63
NISTIR 7628 Content (2)
o Chapter 5 - Privacy and the Smart Grid
o Chapter 6 – Vulnerability Classes
o Chapter 7 – Bottom-up security analysis of the Smart Grid
o Chapter 8 - R&D themes for cyber security in the Smart Grid
o Chapter 9 – Overview of the standards review
![Page 65: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/65.jpg)
64 64
NISTIR 7628 Content (3) o Chapter 10 – Key power system use cases for
security requirements
o Appendices A - J
![Page 66: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/66.jpg)
65 65
How to Participate in CSWG
o NIST Smart Grid portal http://nist.gov/smartgrid
o Cyber Security Working Group n Lead: Marianne Swanson
([email protected]) n NIST Support: Tanya Brewer
([email protected]) o Cyber Security Twiki site o http://collaborate.nist.gov/twiki-sggrid/bin/view/
SmartGrid/CyberSecurityCTG
![Page 67: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/67.jpg)
NA
RU
C Security of PUC’s computer
systems
l Assuring that the computer systems that the PUC relies have on-going cyber security reviews and remediation of identified vulnerabilities.
l Disaster recovery plans are in place and tested and Continuity of Operation Plans have been developed.
l Cyber security awareness for agency employees including social engineering and insider threats.
This may be the responsibility of another state agency or office, but the implication of a failure will impact the business operation of the Commission
![Page 68: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/68.jpg)
NA
RU
C Continuity of Operation Plans
(COOP) l Internal contingency plans of government and
business to assure the rapid resumption of essential functions as soon as possible if they are disrupted for any reason: e.g., fire, tornado, hurricanes, wildfires, earthquakes, terrorism, pandemics, etc. – Build Self-reliance and Resiliency
l Helps assure that critical/essential functions can quickly resume operations
l Addresses key or essential employees, required facilities, computer system records and back-up data systems, etc.
l Minimize damage & losses l Management succession & emergency powers
![Page 69: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/69.jpg)
NA
RU
C On what cyber systems do you
rely? l What IT systems
support critical PUC functions?
l What are the backed up systems?
l What systems are needed to support restoration?
l What systems are needed operationally?
l In what sequence should systems be restored?
l What are the telecommunication needs and requirements?
Hourly Loss from Downtime in the Information Technology Sector: $1.3 million/hr
![Page 70: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/70.jpg)
NA
RU
C What if this happened?
![Page 71: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/71.jpg)
NA
RU
C Employee Education
http://www.michigan.gov/cybersecurity
![Page 72: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/72.jpg)
71 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Resilience Factors
• Robustness – The ability to operate or stay standing in the face of
disaster • Resourcefulness
– skillfully managing a disaster once it unfolds • Rapid Recovery
– The capacity to get things back to normal as quickly as possible after a disaster
• Learning lessons – Having the means to absorb the new lessons that can be
drawn from a catastrophe
![Page 73: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/73.jpg)
72 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Resilience Considerations
• Resilience depends on humans – Human networks are key – Ability to work together and individually – Potential for panic or confusion – Build necessary connections (relationships) in advance
• In the event of an electric power sector cyberattack, do you know: – Your role? If not, whose role it is to act? – Who to call? What they can /should do?
![Page 74: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/74.jpg)
73 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Protecting The Right Stuff
• Very little security actuarial data vs. engineering actuarial data
• Most organizations don’t communicate details of security breaches
• Most estimates are based on FUD (Fear, Uncertainty and Doubt)
• Need better/current data on: – What is being attacked? (most preferred targets)
– Which attacks were successful?
![Page 75: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/75.jpg)
74 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Product/Service Problem(s)
• Utilities are married to their products [and vendors] for many years
• Most products are very expensive to replace or upgrade and challenging to coordinate
• Product vendors are trying to balance security and profit; guess which one wins…
• Some vendors are responsive, most are not
• SCADA Procurement Language can help, but only for new purchases
![Page 76: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/76.jpg)
75 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
What Can State Regulators Do?
• Get educated (even more than today)
• Strategic communication, in all directions
• Build new relationships and reshape old
• Support measures to get actuarial data
• Support secure procurement measures
• Support security training/education
• Support appropriate staffing levels
• Rethink the rate case approach
![Page 77: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/77.jpg)
76 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
What Can State Regulators Do?
• Ask questions… – Are you using the SCADA Procurement Language?
– Are you participating in local, state, regional, national security/disaster exercises?
– What security training/education/awareness are you providing to your staff and how often?
– Where do you get your situational awareness data?
– What cybersecurity technologies do you use?
– Have you performed a full [exhaustive] inventory of all control systems and all associated communication links?
![Page 78: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/78.jpg)
77 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Education and Training
• What is happening in Operations, Federal, States?
• OpSec, Red-Blue, Security Body of Knowledge, security concepts
• Security practices change rapidly – Need for training on new tactics and new technology is
perpetual
• Lack of education leads to a false sense of security – Otherwise known as knowing just enough to be dangerous
![Page 79: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/79.jpg)
78 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Communication
• Ratepayers want a secure grid, until they see the bill – Expect rate shock
– Rates could triple or more, for some infrastructures
• “Common Practice” vs. “Best Practice”
• Early and regular, fact-based communication can minimize negative public reaction
• Remind ratepayers that smart, informed decisions are being made
![Page 80: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/80.jpg)
79 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Communication
• Keep the story fresh; lather, rinse, repeat
• Leverage existing Safety communication vehicles/mechanisms – Newsletters
– Mailers, billing notices
– Public service announcments
– Sponsored events
• Partner with utilities, Federal agencies and even Media to convey a unified message
![Page 81: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/81.jpg)
80 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Relationships
• Get out and talk to your operators
• Get to know the industry thought leaders
• What are your peers doing?
• Situational Awareness – NESCO, VirtualUSA, Einstein, Fusion centers, Infragard…
• Take a partnership approach to the rate case (vs. adversarial) as much as possible
![Page 82: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/82.jpg)
81 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is a DOE-‐funded EnergySec Program
Closing Thoughts
• Cybersecurity is worth taking seriously, but will have to fit into a long list of concerns and priorities
• There are few response networks for utility sector cybersecurity among State Governments
• Few of those evaluating cybersecurity investments understand cybersecurity
• An unskilled operator of any power tool will hurt themselves and those around them – Training and staffing are imperative
• A culture shift is the first ingredient for success
• Soft-skills may matter more than technical skills
![Page 83: Don't Get Hacked! Cybersecurity Boot Camp](https://reader033.fdocuments.us/reader033/viewer/2022052618/54bfe8954a795951458b45a2/html5/thumbnails/83.jpg)
NA
RU
C Questions?
Patrick C Miller, President and CEO, EnergySec Principal Investigator, NESCO
[email protected] 503-446-1212
Miles Keogh, NARUC Director of Grants & Research
[email protected] 202-898-2217
Bill Hunteman, Chief Cyber Security Advisor
US Department of Energy Office of Electricity Deliver & Energy Reliability