Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Delivering a smart grid in a secure world.

Verizon & National Rural Electric Cooperative Association Webinar

October 5th, 2017

Tim Heidel

Deputy Chief Scientist

National Rural Electric

Cooperative

Association (NRECA)

Alex Schlager

Verizon Executive Director

Security Services

Warren Westrup

Verizon Director IoT Solutions

Engineering & Architecture

Enhancing Utility Cybersecurity Culture

October 3, 2017

Tim Heidel, Deputy Chief Scientist, NRECA

Utility cybersecurity challenges

• Variety of attacker goals (financial gain, infrastructure damage, etc.)

• Every utility is unique and has different needs and requirements

• Risks can include:

• Malware and viruses (email and thumb drives)

• Insider threats

• Loss of sensitive data and personal info

• Phishing/social engineering/email scams

• Loss of system control or awareness

• Substation or other facility intrusion

Data breach, ransomware recovery costs

• Lost productivity and downtime

• Financial losses associated with a ransom payment or fraud

• Costs to recover data and restore normal business capabilities

• Negative publicity/damage to reputation/ brand

• Legal expenses

• Cost of credit monitoring services for employees and/or members

E. Cody, “Disruption by Design: the Escalating Ransomware Threat,” NRECA TechSurveillance Whitepaper, September 2016

Supply chain risks

• Hardware trojans:

• Modified circuitry (e.g. integrated circuits) designed to provide unauthorized access to data or software on critical systems

• Designed to disable or destroy a system at some future time, or leak confidential information and secret keys

• Software: • Vendors may neglect security and validation of software during rapid

development.

• Poor software configuration

• Malware insertion

• Commercial Off The Shelf (COTS) products that rely on non-vetted

suppliers (foreign or domestic)

https://nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time

2001 2017

Severity of vulnerabilities over time

Common vulnerability scoring system

Identify, protect, detect, respond, recover

Defense-in-Depth!

9/29/17 10

• State-of-the-art cybersecurity assessment methodologies and software tools are often designed to be used by large, dedicated IT departments with cybersecurity experts on staff

• Cybersecurity management can be costly and time consuming, particularly for smaller utilities

• NRECA is working to adapt assessment procedures and software tools to best meet the needs and resources of small and medium utilities

10/3/2017 9

Rural Cooperative Cybersecurity Capabilities Program

Rural Cooperative Cybersecurity Capabilities Program

• Cybersecurity self assessments

• Onsite vulnerability assessments

• Extending and integrating cybersecurity technologies

• Facilitating information sharing and collaboration among coops

Rural Cooperative Cybersecurity Capabilities Program

Linemen

Billing

Member

Services

Data

Center

VPN

Board/Staff

Vendor

Internet

Operations Operations

Member

Services

Developing comprehensive utility asset inventories

IDE-01 Do we have an inventory of all our computers?

IDE-04 Do we have an inventory of all our corporate mobile devices (e.g. Cell phones, tablets, laptops, etc.)?

IDE-05

Do we have an inventory of all our employee personal mobile devices that may connect to the corporate and/or operational network (e.g. Cell phones, tablets, laptops, etc.)?

Identifying critical data utilities store and use

IDE-12

Bank Account Information: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or businesses bank account information?

IDE-13

PII: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or business PII?

IDE-14

Credit Card Numbers: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or business credit card numbers?

Rural Cooperative Cybersecurity Capabilities Program

Active pilots with 41 cooperative utilities in 2017

Rural Cooperative Cybersecurity Capabilities Program

Creating new training curricula

• Purchasing • Hardware & Software • Security Assessment Services

• Communicators

• Finance/Administrative

• Human Relations

• Legal

• Engineers/Operators

• CEOs/General Managers

• Board Members

Training

18

Training

19

Rural Cooperative Cybersecurity Capabilities Program

Accessible Affordable Appropriate

Mitigating sourcing risks (human and technology)

IDE-39 Do we screen candidates for hire by conducting background checks?

IDE-45

Do vendors and third party service providers that have access to our buildings or network conduct background checks on the employees they hire?

Timothy Heidel

Deputy Chief Scientist, NRECA

Timothy.Heidel@nreca.coop

Conclusion

• Prevalence and sophistication of cyber attacks are growing throughout society

• Every utility is unique and has different needs and requirements

• State-of-the-art cybersecurity assessment methodologies and software tools are often designed to be used by large, dedicated IT departments

• NRECA is working to adapt assessment procedures and software tools to best meet the needs and resources of small and medium electric utilities

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Delivering a smart grid in a secure world

Alex Schlager

Verizon Executive Director

Security Services

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Security executives, teams are under extraordinary pressure

24

Vendor

overload Rise in

cybercrime

Staffing and skills

challenges Evolving cloud

technologies

Regulatory

pressures More mobility

New digital

ecosystems Disruptive

business models

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12

Simple security is no longer sufficient; a shift in thinking is required

Single event Persistent threats/Continuous compromise

25

Asset-based Perimeter

Company’s network, vendors, cloud

Company’s network

Integrated technology, process, people

Technology-led

Risk-based, strategic

Standards, best practices

Board, C-level visibility IT visibility

Enterprise Risk IT Risk

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26

Verizon works overtime to understand customer needs

26

• We capture the voice of the customer via Customer Advisory Boards

(CABs) representing a wide variety of industries

• December 2017 User Forum will feature deep-dive discussions with

customers on outcome-based security services

• Years of experience analyzing

customer security data enables

us to continually grow our Threat

Library and our inventory of

industry-specific use cases

• DBIR provides actionable insight

into the situation in the real-

world “security operations

trenches”

CAB

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27

Verizon looks at security as part of a customer continuum

Cyber Detection

& Response Network

Security

End-

Point

Pro

Services Customer

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28

We are moving from a security stack to a security platform

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29

2017 Data Breach Investigations Report (DBIR)

Lift the lid on cybercrime.

1,935 breaches

42,068 incidents

65 contributors

10th edition

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30

Incident classification patterns

98% of incidents and

88% of breaches fall

into one of the incident

classification patterns. Denial of Service

Miscellaneous Errors

Point of Sale Intrusions

Privilege Misuse

Crimeware

Cyber-Espionage

Physical Theft and Loss

Web Application Attacks

Payment Card Skimming

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31

Industry analysis

Figure 9: Industry comparison

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32

Utility Industry Incident Patterns – 3 year analysis

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33

Utility Industry Threat Actions – 3 year analysis

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 34

Utility Industry Threat Actors – 3 year analysis Similar to the Manufacturing industry, with a high

prevalence of external attackers motivated by

gain of strategic advantage.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Delivering a smart grid in a secure world

Warren Westrup

Verizon Director IoT Solutions

Engineering & Architecture

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Security Built In From The Start

Network Interface layer: authentication using EAP,

helps protect the network operator from liability.

Internet layer: using MPLS, IPsec and LT2P,

helps protect the enterprise from risk.

Application layer: with digital signature, SSL/TLS

encryption and mutual authorization, helps protect

data owners from liability and privacy concerns.

L1-2

L3

L5 -7

2

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

+ Which devices can access your network.

+ What resources and applications those devices can connect to.

22

Private Network

With the Private Network, you control:

Private Network

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

• Interconnect multiple providers with no

additional resources

• Create a secure entry point into your cloud

ecosystem

• Control costs

• Create redundancy for cloud resources

• Assign cloud resources as needed

• Interconnect virtual machines configured on

different cloud service provider (CSP)

platforms and/or between different regions of

the same CSP

38

Secure Cloud Interconnect

Secure Cloud

Interconnect

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 39

IoT Security Credentialing: three layers of protection

IoT Security Credential

Protects in three ways:

Trusted authentication: helps keeps

hacker and malicious code out of

your IoT eco-system

Application protection: adds an OTT

layer of security that helps protect the

devices and applications regardless of

provider.

Data security: helps prevent your

data from being changed or view

by untrusted actors.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 40

Managed Certificate Services

Mobile Private Networks

Secure Cloud Interconnect

DEVICE NETWORK HOST/PROCESS

IoT Security for Smart Grid

SCI

Secure Cloud

Interconnect (First to Market)

Radio

Access

Network

PRIVATE

WIRELESS

IP

NETWORK

Gateway

Public Cloud

Provider PIP

MPLS

IoT Security

Credentialin

g

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 41

Be vigilant

Make people your first line

of defense.

Only keep data on a

“need to know” basis.

Patch promptly.

Encrypt sensitive data.

Use two-factor authentication.

Don’t forget physical security.

Quick tips

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Thank you. Learn more visit:

http://www.verizonenterprise.com/gridwide

http://www.verizonenterprise.com/products/security/

http://www.verizonenterprise.com/securitycredentialing

http://www.verizonenterprise.com/verizon-insights-lab/dbir/