delivering a tim heidel smart grid in a cooperative secure world. -...
TRANSCRIPT
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Delivering a smart grid in a secure world.
Verizon & National Rural Electric Cooperative Association Webinar
October 5th, 2017
Tim Heidel
Deputy Chief Scientist
National Rural Electric
Cooperative
Association (NRECA)
Alex Schlager
Verizon Executive Director
Security Services
Warren Westrup
Verizon Director IoT Solutions
Engineering & Architecture
Enhancing Utility Cybersecurity Culture
October 3, 2017
Tim Heidel, Deputy Chief Scientist, NRECA
Utility cybersecurity challenges
• Variety of attacker goals (financial gain, infrastructure damage, etc.)
• Every utility is unique and has different needs and requirements
• Risks can include:
• Malware and viruses (email and thumb drives)
• Insider threats
• Loss of sensitive data and personal info
• Phishing/social engineering/email scams
• Loss of system control or awareness
• Substation or other facility intrusion
Data breach, ransomware recovery costs
• Lost productivity and downtime
• Financial losses associated with a ransom payment or fraud
• Costs to recover data and restore normal business capabilities
• Negative publicity/damage to reputation/ brand
• Legal expenses
• Cost of credit monitoring services for employees and/or members
E. Cody, “Disruption by Design: the Escalating Ransomware Threat,” NRECA TechSurveillance Whitepaper, September 2016
Supply chain risks
• Hardware trojans:
• Modified circuitry (e.g. integrated circuits) designed to provide unauthorized access to data or software on critical systems
• Designed to disable or destroy a system at some future time, or leak confidential information and secret keys
• Software: • Vendors may neglect security and validation of software during rapid
development.
• Poor software configuration
• Malware insertion
• Commercial Off The Shelf (COTS) products that rely on non-vetted
suppliers (foreign or domestic)
https://nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time
2001 2017
Severity of vulnerabilities over time
Common vulnerability scoring system
Identify, protect, detect, respond, recover
Defense-in-Depth!
9/29/17 10
• State-of-the-art cybersecurity assessment methodologies and software tools are often designed to be used by large, dedicated IT departments with cybersecurity experts on staff
• Cybersecurity management can be costly and time consuming, particularly for smaller utilities
• NRECA is working to adapt assessment procedures and software tools to best meet the needs and resources of small and medium utilities
10/3/2017 9
Rural Cooperative Cybersecurity Capabilities Program
Rural Cooperative Cybersecurity Capabilities Program
• Cybersecurity self assessments
• Onsite vulnerability assessments
• Extending and integrating cybersecurity technologies
• Facilitating information sharing and collaboration among coops
Rural Cooperative Cybersecurity Capabilities Program
Linemen
Billing
Member
Services
Data
Center
VPN
Board/Staff
Vendor
Internet
Operations Operations
Member
Services
Developing comprehensive utility asset inventories
IDE-01 Do we have an inventory of all our computers?
IDE-04 Do we have an inventory of all our corporate mobile devices (e.g. Cell phones, tablets, laptops, etc.)?
IDE-05
Do we have an inventory of all our employee personal mobile devices that may connect to the corporate and/or operational network (e.g. Cell phones, tablets, laptops, etc.)?
Identifying critical data utilities store and use
IDE-12
Bank Account Information: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or businesses bank account information?
IDE-13
PII: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or business PII?
IDE-14
Credit Card Numbers: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or business credit card numbers?
Rural Cooperative Cybersecurity Capabilities Program
Active pilots with 41 cooperative utilities in 2017
Rural Cooperative Cybersecurity Capabilities Program
Creating new training curricula
• Purchasing • Hardware & Software • Security Assessment Services
• Communicators
• Finance/Administrative
• Human Relations
• Legal
• Engineers/Operators
• CEOs/General Managers
• Board Members
Training
18
Training
19
Rural Cooperative Cybersecurity Capabilities Program
Accessible Affordable Appropriate
Mitigating sourcing risks (human and technology)
IDE-39 Do we screen candidates for hire by conducting background checks?
IDE-45
Do vendors and third party service providers that have access to our buildings or network conduct background checks on the employees they hire?
Timothy Heidel
Deputy Chief Scientist, NRECA
Conclusion
• Prevalence and sophistication of cyber attacks are growing throughout society
• Every utility is unique and has different needs and requirements
• State-of-the-art cybersecurity assessment methodologies and software tools are often designed to be used by large, dedicated IT departments
• NRECA is working to adapt assessment procedures and software tools to best meet the needs and resources of small and medium electric utilities
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Delivering a smart grid in a secure world
Alex Schlager
Verizon Executive Director
Security Services
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Security executives, teams are under extraordinary pressure
24
Vendor
overload Rise in
cybercrime
Staffing and skills
challenges Evolving cloud
technologies
Regulatory
pressures More mobility
New digital
ecosystems Disruptive
business models
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
Simple security is no longer sufficient; a shift in thinking is required
Single event Persistent threats/Continuous compromise
25
Asset-based Perimeter
Company’s network, vendors, cloud
Company’s network
Integrated technology, process, people
Technology-led
Risk-based, strategic
Standards, best practices
Board, C-level visibility IT visibility
Enterprise Risk IT Risk
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26
Verizon works overtime to understand customer needs
26
• We capture the voice of the customer via Customer Advisory Boards
(CABs) representing a wide variety of industries
• December 2017 User Forum will feature deep-dive discussions with
customers on outcome-based security services
• Years of experience analyzing
customer security data enables
us to continually grow our Threat
Library and our inventory of
industry-specific use cases
• DBIR provides actionable insight
into the situation in the real-
world “security operations
trenches”
CAB
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27
Verizon looks at security as part of a customer continuum
Cyber Detection
& Response Network
Security
End-
Point
Pro
Services Customer
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28
We are moving from a security stack to a security platform
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29
2017 Data Breach Investigations Report (DBIR)
Lift the lid on cybercrime.
1,935 breaches
42,068 incidents
65 contributors
10th edition
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30
Incident classification patterns
98% of incidents and
88% of breaches fall
into one of the incident
classification patterns. Denial of Service
Miscellaneous Errors
Point of Sale Intrusions
Privilege Misuse
Crimeware
Cyber-Espionage
Physical Theft and Loss
Web Application Attacks
Payment Card Skimming
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31
Industry analysis
Figure 9: Industry comparison
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32
Utility Industry Incident Patterns – 3 year analysis
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33
Utility Industry Threat Actions – 3 year analysis
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 34
Utility Industry Threat Actors – 3 year analysis Similar to the Manufacturing industry, with a high
prevalence of external attackers motivated by
gain of strategic advantage.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Delivering a smart grid in a secure world
Warren Westrup
Verizon Director IoT Solutions
Engineering & Architecture
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Security Built In From The Start
Network Interface layer: authentication using EAP,
helps protect the network operator from liability.
Internet layer: using MPLS, IPsec and LT2P,
helps protect the enterprise from risk.
Application layer: with digital signature, SSL/TLS
encryption and mutual authorization, helps protect
data owners from liability and privacy concerns.
L1-2
L3
L5 -7
2
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
+ Which devices can access your network.
+ What resources and applications those devices can connect to.
22
Private Network
With the Private Network, you control:
Private Network
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
• Interconnect multiple providers with no
additional resources
• Create a secure entry point into your cloud
ecosystem
• Control costs
• Create redundancy for cloud resources
• Assign cloud resources as needed
• Interconnect virtual machines configured on
different cloud service provider (CSP)
platforms and/or between different regions of
the same CSP
38
Secure Cloud Interconnect
Secure Cloud
Interconnect
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 39
IoT Security Credentialing: three layers of protection
IoT Security Credential
Protects in three ways:
Trusted authentication: helps keeps
hacker and malicious code out of
your IoT eco-system
Application protection: adds an OTT
layer of security that helps protect the
devices and applications regardless of
provider.
Data security: helps prevent your
data from being changed or view
by untrusted actors.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 40
Managed Certificate Services
Mobile Private Networks
Secure Cloud Interconnect
DEVICE NETWORK HOST/PROCESS
IoT Security for Smart Grid
SCI
Secure Cloud
Interconnect (First to Market)
Radio
Access
Network
PRIVATE
WIRELESS
IP
NETWORK
Gateway
Public Cloud
Provider PIP
MPLS
IoT Security
Credentialin
g
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 41
Be vigilant
Make people your first line
of defense.
Only keep data on a
“need to know” basis.
Patch promptly.
Encrypt sensitive data.
Use two-factor authentication.
Don’t forget physical security.
Quick tips
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Thank you. Learn more visit:
http://www.verizonenterprise.com/gridwide
http://www.verizonenterprise.com/products/security/
http://www.verizonenterprise.com/securitycredentialing
http://www.verizonenterprise.com/verizon-insights-lab/dbir/