Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense

This document contains Booz Allen Hamilton, Inc. Proprietary and Confidential Business Information.

A Holistic Approach for Reimagining Cyber Defense

23 February 2016

This document contains Booz Allen Hamilton, Inc. Proprietary and Confidential Business Information. .

Introduction

The Approach

• Know

• Protect

• Respond

• Mature

Sector Study- The Electric Utility Sector

Agenda

2


Mission

Booz Allen Hamilton partners with clients to solve their most important and complex problems,

making their mission our mission and delivering results that endure

What We Bring

Expertise, objectivity, and the capabilities of exceptional people —combined with the

institutional experience of helping clients succeed for 100 years

What Distinguishes Us

Booz Allen combines a consultant’s unique problem-solving orientation with deep technical

knowledge and strong execution to help clients achieve success in their critical missions

The Firm

Annual Revenue — $4 billion

Public corporation

Founded in 1914

Scale and Scope

Over 24,000 talented people, serving

clients from more than 80 offices

Approx. 300 staff in Hawaii

Office in Honolulu for over 20 years

Booz Allen Hamilton is a leading strategy & technology consulting firm and solutions provider


Asset Management- Realizing tailored asset management systems

that enable proper classification, tracking, protection, configuration,

and usage of those assets.

Situational Awareness- Establishing real-time visibility into your

cyber ecosystem, providing insights into activities that impact your

unique environment.

Threat Intelligence- Providing clear insights on current and

emerging threat activity in order to drive more informed and precise

decision making.

Vulnerability Management- Identifying, quantifying, and prioritizing

the vulnerabilities in systems, networks, processes, or applications,

and developing plans for intelligently reducing vulnerability.

Know- Understand your business and the cyber risk within

it

4


Specific alerts and warnings relevant to the client are more

valuable than generic reports of vulnerabilities

5

Cyber4Sight- Booz Allen developed the line of Cyber4Sight® to provide cyber

threat alerting and warning services, on-call intelligence analysis, and deep web

intelligence that warn our clients of threats in near real-time.

Insider4Sight- Rogue internal employees fly under the radar of organizations that

use network audit tools to prevent outside threats. I4S was created to identify

insider threats using advanced detection and analytical tools.

Global4Sight- Our line of threat and competitive intelligence Global4Sight™

products combine open-source cloud architecture with social media research and

intelligence analysis to give clients key information on global threats and global

market opportunities.


Application Security- Developing and deploying software assurance processes,

controls, and countermeasures to secure software applications throughout the product

lifecycle--from design to maintenance.

Identity & Access Management- Enabling program design support and deployment

of solutions to assure that information is derived from a trusted source and is only

available to authorized entities.

Information Protection- Cross-disciplinary solutions to protect sensitive information

from unauthorized access, use, disclosure, disruption, modification, recording, and

destruction.

Infrastructure & Mobile Security- Providing a stable and resilient baseline

infrastructure, along with a flexible and secure mobile platform that meets mission and

business needs.

Supplier Security Management- Applying industry-leading, vendor-agnostic

solutions to carefully identify, prioritize, and manage risk in your supply chain and

across your supplier community.

Protect- Secure your organization, operations, products,

and services

6


Continuous Monitoring can help Compliance and Network

Management/Defense needs across the Enterprise.

7


Incident Response- Support to assess incidents,

mitigate the issue, determine the extent of exposure, and

manage communications.

Postmortem Analysis- Analysis of security incidents to

support investigations, document lessons learned, and

improve the overall incident response process.

Remediation- Development and implementation of

targeted action plans for short-term incident containment

and longer-term ecosystem resilience.

Respond- Triage, respond, and learn from cyber incidents

8


Automated First Responder (AFR) – arms analysts with a

proven tool to identify and eradicate APTs

APT-specific suite of tools that can rapidly identify

APTs and their malicious code

Software Distribution

Server

Collection

Server

Enterprise

Workstations/Servers

Standalone Analysis

Environment

Processing

Server

Analyst

1

2

3

4 5

9

Analyst


Awareness- Development and deployment of tailored and impactful training content

to ensure organization-wide awareness and adoption of cyber security priorities.

Governance- Establishment of environment-specific cyber strategy, policies, and

procedures, along with impactful organizational designs and operating models.

Human Capital Development- Fostering and maintaining a secure cyber

environment via attracting, developing, and retaining a high-performing cyber

workforce.

Information Risk Management- Design and delivery of processes and tools for

methodically identifying, analyzing, prioritizing, responding to, and monitoring cyber

risks.

Organizational Change Management- Holistically managing the transition of

business processes, technologies, and cultures from a current state to a desired

target state.

Mature- Build and manage a world-class cyber program and

workforce.

10


Effective governance requires a comprehensive and

detailed strategy backed by clear and effective policies

11

Functional and

enabling controls

Functional controls are more technical/operational in nature (e.g., application security,

vulnerability assessment), while enabling controls pertain to governance, risk management, and

other organizational functions that support (i.e., enable) the technical operations

Appropriate Level

Views- high and

low

Logically organized objectives and measures that are used to pinpoint and evaluate specific

aspects of your security program

Address all

dimensions

People, process, and technology dimensions – Multifaceted views that let you evaluate each

control area in its key component parts

Maturity Spectrum A maturity spectrum of granular and measureable details – A clear scale of maturity, defined by

characteristics and indicators to accurately assess your level of maturity

Best Practices A foundation grounded in established best practices – Developed from best practices across

industry, government, and academia.


Current state of the industry

Where it is going

Implications

Case Study- The electric utility industry

12


Util

ity

All investor and privately held utilities are regulated by state

regulatory commissions and federal agencies

Why Regulated?

Utilities are “natural monopolies”

• Major scale economies on distribution

• Generation not a “natural monopoly”

• Retail not a “natural monopoly” although significant scale economies apply

Utilities provide a public “good”

• Integral to function of society and economy

• Safety and reliability issues

State Utility

Commissions

DOE,

NERC, DOT,

et. al.

FERC

Rates and Services

Service Complaints

Reliability

Service Territory

Expansions /

Investments

Ownership

Reporting

Ownership

Reliability

Access

Reporting

Reliability

Safety


Util

ity

An electric transaction in a market with a single buyer and

competitive generation

Utility

Transmission

Residential

Customers

Commercial

Customers

Industrial

Customers

Utility Buyer

Utility Generation

Distribution

Independent

Generation

Independent

Generation

Examples: Georgia, Alabama


Util

ity

An electric transaction in a market with wholesale /

industrial competition

Utility

Transmission

Distribution

Regulated Utility

Generation

Independent

GenerationIndependent

Generation

Wholesale

Marketers

System

Operations

Residential

Customers

Small

Commercial

Customers

Industrial

Customers

Large

Commercial

Customers

Generation

Coordinator

Examples: New York, California


Due to regulation, utilities have limited options for making

and spending money

Utilities’ profit is almost always best on a regulated rate

of return on capital investment

Operations and Maintenance (including fuel for those

that generate) is usually a pass through, but must be

justified before the regulators (PUS/PSC)

Reliability is their key metric

• Used to justify new capital investments

• Poor reliability gets a lot of negative attention from

customers and politicians

• Regulators respond to this negative attention


Historically, severe weather accounts for the majority of grid

reliability issues, but physical attacks are a growing concern

Major Grid Disturbances

0

20

40

60

80

100

120

140

160

2003 2004 2005 2006 2007 2008 2014

Weather Equipment Control Systems Human Error Load Shedding Other

Number

Of

Incidents

Source: EIA, BAH Analysis


Compliance Example- DTE Cyber Program Development

18

Detroit Edison (DTE)

Cyber Security Program Assessment and Gap Analysis, Procedure Development

Client Challenge

Detroit Edison (DTE) sought an outside perspective on their position relative to key

milestone requirements for implementation of NEI 08-09, and support to create a

compliance roadmap including resource estimates to meet required deadlines.

Booz Allen Solution

To support DTE, Booz Allen:

Reviewed existing DTE procedures against the requirements of NEI 08-09

Formulated recommendations to address compliance gaps

Helped to quantify the LOE required for CDA Assessments, Critical System and

CDA identification and documentation, and sustaining program support (excluding

remediation required from initial assessments)

Assessed DTE’s level of compliance with 2012 milestones, and made

recommendations to re-deploy labor to meet this year’s deadlines in the area of

Critical System/CDA identification and documentation

Initiated effort to support development of the set of additional needed required

proceduresResults DTE implemented recommendations for labor re-direction and is on track to meet all

2012 milestones. Procedures are currently under development to allow full compliance

within the required timeline.


Because of these reasons cyber security has been only a

compliance issue, but things are changing


As the grid transforms it will become more dependent upon

“smart” technology- increasing the need for cyber security

20

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense

Technology

Transcript of Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense