1. NATIONAL SECURITY ENERGY & ENVIRONMENT HEALTH CYBERSECURITY SAIC. All rights reserved. Cybersecurity for Energy: Moving Beyond Compliance

2. SAIC.com SAIC. All rights reserved. The Threats Keep Coming. 2 1998: Telephone switch hack closes an airport 2000: Gazprom central control is hacked 2000: Australian hacker causes environmental harm by releasing sewage 2001: Hackers protesting U.S./China conflict enter U.S. electric power systems 2003: Power outages in northeastern United States occur 2003: Worm shuts systems down at Davis-Besse nuclear plant 2006: Zotob virus shuts down Holden car manufacturing plant (Australia) 2007: Aurora demonstration shows damage a remote hacker can cause physical harm to a generator 2008: Intruder installed malware causing damage to Sacramento River diverter 2010: Stuxnet discovered 2012: Saudi Aramco targeted by Shamoon virus wiping out 30,000 hard drives 3. SAIC.com SAIC. All rights reserved. .And Our Defenses Struggle to Keep Up Threat Briefing: Escalating Security Threats 3 Attackers prefer lower-tech attack methods if they work Attacks are tailored to the defenses they need to breach As defenses improve, attacks will escalate to breach them, then step back down Improve defenses in one area and attackers move to other areas that are weaker Attacks Defenses Phishing Spear Phishing Published Vulnerabilities: (Browser, App, OS) Web Attacks: (SQL Inject; Cross-Site Script) Credential Harvesting & Abuse: (Keylogger, Pass-the-Hash) 2 factor Compromise: (Session hijack, OTP capture, Cert theft) Break Weak Crypto / Password Zero Day: (Browser, App, OS) Driver / BIOS / Hardware: (Vulnerability, Zero-Day) Hypervisor Breach: (Vulnerability, Zero-Day) Break Strong Cryptography Firewall Anti-Virus Patching Network IDS Host Firewall, Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) Network Segmentation Physical Isolation Hardened operating system Data Protection / Encryption Secure Coding Access Control App Whitelisting App Hardening High Assurance hardware 2-Factor Authentication Log Consolidation In-Memory Malware Detection Increasing Difficulty APT Hackers Hacktivists Viruses Network Breach: (Firewall, Switch, Router) BIOS = Binary Input Output System APT = Advanced Persistent Threat OS = Operating System OTP = One-time Password Cert = Certificate 4. SAIC.com SAIC. All rights reserved. Cybersecurity is Becoming a Board-level Issue Reuters, October 13, 2011 National Association of Corporate Directors 5. SAIC.com SAIC. All rights reserved. Turning Cybersecurity Risk Into a Business Risk Nuisance Example: Isolated malware infections Typically occur at rate of 6% of computers per year One oil company estimated cost at $4000 per machine (including productivity losses) 5 Slightly Less of a Nuisance: Customer Data Breach Losses Ponemon Institute estimated at $194 per record (most of cost is future lost business) TJX saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems had 130 million credit card numbers breached in 2009 For most customer data breaches, however, the relevant costs are minor as harms are hard to prove and the reputational damage is short-lived For utilities, greatest threats through cybersecurity attack are on ability to operate Maintaining stability of transmission and distribution grids (preventing widespread outages) Keeping hard to replace equipment from being damaged or destroyed (Aurora) Protecting human lives (fires, electrocutions, explosions, radiation) Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access to bank accounts to pay suppliers) Ability to generate and coordinate (independent system operator functions, automated generation control) 6. SAIC.com SAIC. All rights reserved. What About These Cyber Risks? Examples of true incidents that have been labelled cyber security breaches are as follows: a mis-sent email (a strategy document sent to a competitor); commercial papers lost on a train; a former employee that was not legally prevented from taking bid information to a competitor; a laptop left on a plane with passwords attached; and careless use of social media giving away IPR, and more frequently, because it's cheaper, the use of social engineering ("new best friends" who buy you drinks all night at the bar, fascinated by your company). Andrew Fitzmaurice, The Guardian, July 25, 2013 http://www.guardian.co.uk/media-network/media-network-blog/2013/jul/25/cyber-security-board-level-information-technology 6 7. SAIC.com SAIC. All rights reserved. Organizing Around Business Risk The Banking Experience (Basel II/III) Organizes risk around categories that can be measured and contribute to organizations overall risk posture that influence capital requirements 7 Influence on Capital Requirements Market Risk Credit Risk Liquidity Risk Operational Risk Operational Risk Components Legal Human Resources Physical Security/ Facilities Procurement IT (Performance, Security, Capacity) IT Information Technology 8. SAIC.com SAIC. All rights reserved. Business Risk for Utilities 8 Align by function/business area Harder to tie in financial metrics that benefit from lower risk (bond ratings?) Utility Business Risks T&D Reliability Energy Trading Key Equipment Protection Human Safety Operational Risk Operational Risk Cash Flow Compliance Human Resources Facilities IT (Performance, Security, Capacity) T&D Transmission & Distribution IT- Information Technology 9. SAIC.com SAIC. All rights reserved. Governance Model 9 Who does cybersecurity organization report to? In many, its the Chief Information Officer Can reporting reach executive and board level stakeholders? Do policies regularly get the backing of the CEO? Budget Is the cybersecurity budget tied to major initiatives (transmission expansion, safety initiatives, new substations)? Is there a relationship between cybersecurity risk and other major risks? As new meters, sensors, and relays are added, is cybersecurity risk adjusted along with its budget? Are improvements in grid reliability correlated with improvement in cybersecurity? Are cybersecurity budget line items evaluated for how they help reduce major business risks or even other operational risks? 10. SAIC.com SAIC. All rights reserved. Moving from a Tactical to Risk Management Mindset 10 What gets reported? Malware infections vs. business disruptions Data breaches/lost laptops vs. value at risk Attacks blocked vs. threats averted How are resources allocated for cybersecurity? Tactical Firewall management Log management Authentication Endpoint security Server security Risk Management T&D grid stability Customer data protection Energy trading integrity Key asset protection Health and safety T&D Transmission & Distribution 11. SAIC.com SAIC. All rights reserved. From Resistance to Resiliency and Recovery 11 Do you know what your response will be if You cannot trust the data coming from your substations Customer billing data has been corrupted Hackers have brought down your Energy Management System, and youre not sure if all malware has been removed A smart meter firmware update that was just applied contains malicious code that shuts off power and then ceases communication? Most utilities run disaster recovery and business continuity drills but usually focus on natural events and not malicious and sentient actors While prevention and detection are necessary, successful programs assume response and recovery will be required and plan accordingly 12. SAIC.com SAIC. All rights reserved. Where to Start 12 How can you tell how good a job you are doing? Mapping to business risks helps to speak to the board but day to day challenges still require a comprehensive approach Frameworks can help if used in the context of business risk NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443* Need maturity models and means of comparison with peers Electricity Subsector Cybersecurity Capability Maturity Model US Department of Energy Maturity Indicator Levels (MIL): MIL1: Initiated MIL2: Performed MIL3: Managed *See last slide for acronyms 13. SAIC.com SAIC. All rights reserved. Managing IT Security Capabilities 13 # Functional Area Architect Design Deploy Support Retire Maintain Operate 1 Security Infrastructure Management X X X X X X X 2 Network Admin & Security X X X X X X X 3 Application Security X X X X X X X 4 Endpoint & Server Security X X X X X X X 5 Cryptography & Data Protection X X X X X X X 6 Identity Management & Authentication X X X X X X X 7 Asset Management & Supply Chain X X X X X X X 8 Monitoring & Vulnerability Management X X X X X X X 9 Incident Response X X X X X X X 10 Policy & Audit & E-Discovery & Training X X X X X X X Need to apply controls from a lifecycle and functional perspective such as Integrated Strategy & Architecture, Integrated Operations, and Engineering services in each of Ten Functional Areas as indicated below. Strategy & Architecture OperationsEngineering 14. SAIC.com SAIC. All rights reserved. Along with Some Control System Considerations 14 Bridging the Information Technology (IT) / Operations Technology (OT) divide will be critical to successful program as the threats hit IT first, but the biggest impact is felt on the OT side. 15. SAIC.com SAIC. All rights reserved. Integrating the Data 15 Frameworks operate at 10,000 feet, threats at ground level Need automated mechanisms to report current state In government, we often use the term continuous monitoring; commercially its often enterprise vulnerability management Also need to ensure mandated controls stay current with threats Operations/Engineering Physical Security IT-Telecom/Cybersecurity Roles- based Correlation 16. SAIC.com SAIC. All rights reserved. Putting It All Together 16 Strategy & Risk Management Assessing and Reporting Mapping security controls to acceptable risk posture Making sure cybersecurity risks are associated with business risks Security Operations Monitoring systems and networks for attacks Continuously monitoring for vulnerabilities and policy violations Aggressively seeking out threat intelligence Responding to incidents and assisting with the recovery Security Engineering Researching new protection techniques Designing, deploying, and supporting new security tools and technologies Aligning security tools, techniques, and technologies with organizations culture and business drivers Governance & Oversight 17. SAIC.com SAIC. All rights reserved. Budgets: How Much Security is Enough? 17 The industry norms Cybersecurity budgets in all industries tend to range from 3 to 10% of information technology budget For utilities, that number is closer to 3-5% IT budgets vary considerably by industry given different ways revenue is generated For many, 2-5% of revenue is typical for an IT budget For energy companies, operations technology (such as control systems) may be additional Criteria for additional expenditures Regulatory compliance (as much as 50% of security budget) Requirements to meet business continuity objectives Desire to meet industry best practices (such as encryption of all removable storage) Changing threat landscape Easily exploitable vulnerabilities Achieving acceptable risk posture (most subjective & hardest to substantiate) 18. SAIC.com SAIC. All rights reserved. Example: Incorporating New Threats 18 Stuxnet Highly targeted and advanced attack on an Iranian nuclear power plant Included several zero day exploits (malicious software targeting vulnerabilities that had not been publicly known Likely introduced into air-gapped environment through flash drive Updating security policy and related controls Removable Media Practices Out of band monitoring Application Whitelisting Obtain buy-in from senior management Tie changes to key business objectives (such as key asset protection) Update budget Update policies & train employees Deploy software Integrate technology 19. SAIC.com SAIC. All rights reserved. 19 In Summary Keys for Successful Security Program Compliance Through Lower Risk Crossing Organization Boundaries A Strategic Approach Future Aware Holistic Security Approach 20. Discussion For more information contact: Gib Sorebo SAIC Vice President /Chief Cybersecurity Technologist phone: 703-676-2605 | email: sorebog@saic.com 21. SAIC.com SAIC. All rights reserved. Acronyms 21 NERC North American Electric Reliability Corporation CIP Critical Infrastructure Protection NIST SP National Institute for Standards and Technology Special Publication ISO International Standards Organization IEC International Electrotechnical Commission