Welcome to CES Government 20149th Annual Premier Policy ForumJanuary 6, 2014: Day 1
Protecting Critical Infrastructure: Energy and National SecurityIssues, Trends, and the Private Sector
Rodney BlevinsChief Information Officer, Dominion Resources
General Charles F. Wald (Ret)Leader, DOD Practice - Federal Government Services
Deloitte LLP
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
Protecting Critical Infrastructure:Who, Where and How
January 6, 2014
3
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
4
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
2003 Isabel 1.8 million 15 days
2011 Irene 1.2 million 9 days
2012 Derecho 1 million 8 days
Public Media AttentionExperience and a New Job
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
Disaster awaits U.S. power grid as
cybersecurity lags
Cyber attackers could shut down the
electric grid for the entire east coast
PENTAGON | JULY 27, 2012 | BY: ROBERT TILFORD
Thousands Seen Dying If Terrorists Attack U.S. Power GridBy Brian Wingfield and Jeff Bliss – Nov 14, 2012 4:17 PM ET
Panetta Warns of Dire Threat of Cyberattack on U.S.By ELISABETH BUMILLER and THOM SHANKERPublished: October 11, 2012
Public Media Attention
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
Dominion Strategies – Cybersecurity
Internet
GuestNetwork
E-mailsWeb Sites
SaaS
CriticalNetworks
CorporateNetwork
DeviceManagement
Social Media
PersonalDevices
Business Partner Connections
Unknown Devices
?
DatacenterSecurity
CriticalInfrastructure
Network/Perimeter Protection
Critical AssetProtection
Threat Monitoring
Education &Awareness
7
Prioritize Security Investments
Focus on the highest risks
Balance Between Prevention and Detection / Remediation Initiatives
Do The Basics Well
Vulnerability and Patch Management
Credential Management
Protect Using “Defense-in-Depth”
Provide the most protection where its most important
Implement multiple protection barriers
Optimize Situational Awareness
Prepare to Respond
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
wDOE/DHS Electricity Subsector
Cybersecurity Capability Maturity Model (ES-C2M2)
8
Domains in maturity model in which companies are evaluated:
1. Asset, Change, and Configuration Management (ASSET)
2. Workforce Management (WORKFORCE)3. Identity and Access Management (ACCESS)4. Risk Management (RISK)5. Supply Chain and External Dependencies
Management (DEPENDENCIES)6. Threat and Vulnerability Management
(THREAT)7. Event and Incident Response, Continuity of
Operations (RESPONSE)8. Situational Awareness (SITUATION)9. Information Sharing and Communications
(SHARING)10. Cybersecurity Program Management (CYBER)
Now working with the Department of Energy, American Gas Association (AGA) and Interstate Natural Gas Association of America (INGAA) to create an Oil and Natural Gas Cybersecurity Capability Model.
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
wThe Big Picture
9
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
wElectricity Sector Coordinating Council
10
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
Collaboration
Collaboration– National Electricity Sector Cybersecurity
Organization (NESCO)– Fusion Centers– US CERT / DHS ICS CERT– NERC Electricity Sector – Information Sharing
and Analysis Center (ES-ISAC)– Edison Electric Institute (EEI)– Nuclear Energy Institute (NEI)– Nuclear Information Technology Strategic
Leadership (NITSL)– Federal Bureau of Investigation (FBI)– National Security Agency (NSA)– Department of Energy (DOE)– Department of Defense (DOD)– Cross Sector Cyber Security Working Group
(CSCSWG)– Partnership for Critical Infrastructure Security
(PCIS)– Utility Peers (UNITE, PJM)– North American Transmission Forum– National Labs (INL, PNNL)
11
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
wNERC Grid Security Exercise
Validate readiness of the Electricity sub-sector to respond to a coordinated physical and cyber incident, strengthen utilities’ crisis responses functions and provide input for internal security program improvements
Over 200 industry and government organizations from the U.S., Canada and Mexico participated
Exercise involved internal response measures and external coordination activities across the sector
After-action report scheduled for release in early 2014
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
EEI Threat Scenario Project
13
EEI member companies worked with The Chertoff group to develop mitigation actions for top industry threats
Companies conducted self-assessments and shared best practices and mitigation measures.
Pro
tecting C
ritical Infrastru
cture: W
ho
, Wh
ere, Ho
w
14
Energy’s role in securing America’s defense
General Charles F. Wald (USAF, Ret.)
Director and Leader of Deloitte’s Department
of Defense Practice, Deloitte Services LP
January 2014
Copyright © 2013 Deloitte Development LLC. All rights reserved.16 Energy’s role in securing America’s defense
“The relationship between
America’s national security and its
dependence on foreign oil has
been clear since President
Franklin Roosevelt hosted Saudi
King Abdul Aziz ibn Saud aboard
the U.S.S. Quincy in the Suez in
1945.”
– Powering America's Defense:
Energy and Risks to National Security,
CNA, May 2009
Copyright © 2013 Deloitte Development LLC. All rights reserved.17 Energy’s role in securing America’s defense
U.S. energy posture is a threat
Gulf of Mexico oil spill sharpened focus on developing
alternative and renewable energy success
America’s energy posture constitutes a serious and urgent threat to national
security — militarily, diplomatically and economically
Source: Deepwater Horizon Rig, courtesy of U.S. Coast Guard
Copyright © 2013 Deloitte Development LLC. All rights reserved.18 Energy’s role in securing America’s defense
Global oil infrastructure: Potential risk issues
Key global chokepoints for oil transportation
Source: Energy Information Administration
Copyright © 2013 Deloitte Development LLC. All rights reserved.19 Energy’s role in securing America’s defense
Global oil consumption — There is no oil “invisible hand”
1.4
1.4
1.6
1.9
2
2.1
2.2
2.2
2.3
2.3
2.6
2.6
2.7
2.7
2.9
3.2
3.5
3.6
3.9
4.1
4.4
5.3
6.4
9.7
12.5
0 2 4 6 8 10 12 14
Petronas
Nigerian National Petroleum Co
Sinopec
Petróleos de Venezuela, S.A.
Conoco
Statoil
ENI
LUKOIL
Iraqi Oil Ministry
Qatar Petroleum
Petrobras
Rosneft
TOTAL
Sonatrach
Abu Dhabi National Oil Company
Kuwait Petroleum Corporation
Chevron
Pemex
Royal Dutch Shell
BP
PetroChina
ExxonMobil
National Iranian Oil Company
Gazprom
Saudi Aramco
M/bbl
Total: 89.5 M/bbl
Source: Forbes World’s 25 Biggest Oil Companies 2012
Global Production by National Oil Companies (2012)
Copyright © 2013 Deloitte Development LLC. All rights reserved.20 Energy’s role in securing America’s defense
Framework goal: To establish a voluntary program to support the adoption of the cybersecurity
framework by owners and operators of critical infrastructure.
Currently, there are 16 industry sectors defined as critical infrastructure;
85% of critical infrastructure is in the private sector1
Trends exposing industry to increased risk: interconnectedness of sectors, proliferation of exposure
points, concentration of assets.
Cyber Executive Order: Cybersecurity framework
program and our national critical infrastructure
Critical infrastructure sectors
Agriculture and
FoodDams
Information
Technology
Banking and
Financial
Services
Defense
Industrial Base
Nuclear
Reactors,
Materials, and
Waste
ChemicalEmergency
Services
Transportation
Systems
Commercial
Facilities EnergyWater and
Wastewater
Systems
CommunicationsGovernment
Facilities
Critical
Manufacturing
Health Care and
Public Health
1 GAO Report, Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Evolve, July 2007, http://www.gao.gov/assets/100/95010.pdf
Copyright © 2013 Deloitte Development LLC. All rights reserved.21 Energy’s role in securing America’s defense
Requirements to safeguard unclassified controlled technical
information:
• Applies to all contracts and subcontracts requiring safeguarding of
unclassified controlled technical information resident on or
transiting through contractor unclassified information systems.
• Contractor information system security is to meet NIST SP 800-53
standards at a minimum, or the equivalent as documented by
contractor to the contracting officer.
• Contractor to report cyber incident within 72 hours of discovery.
• Contractor to cooperate with DoD on cyber incident damage
assessment.
• Controlled technical information is defined as having military or
space application, is subject to access controls and is to be
marked with DoD controlled distribution statement.*
*Technical information means technical data or computer software as already defined in DFARS 252.227-
7013
DFARS Rule
Copyright © 2013 Deloitte Development LLC. All rights reserved.22 Energy’s role in securing America’s defense
• Weakens international leverage
• Impacts foreign policy
• Jeopardizes military
• Exacts huge price tag in dollars and lives
• Entangles U.S. with hostile regimes
• Undermines economic stability
U.S. oil dependence undermines national security
Copyright © 2013 Deloitte Development LLC. All rights reserved.23 Energy’s role in securing America’s defense
Iran’s maritime military capability
Cruise MissilesFighter Aircraft
Fast Attack BoatsUnderwater Missiles
Mines
Submarines
Iranian Weapons To CloseThe Straits Of Hormus
$200/barrel could devastate economies and change the balance of power
Copyright © 2013 Deloitte Development LLC. All rights reserved.24 Energy’s role in securing America’s defense
Energy use in warfare: Potential risks
Fuel/Supply Convoy in the Khyber Pass
Source: USMC
Copyright © 2013 Deloitte Development LLC. All rights reserved.25 Energy’s role in securing America’s defense
Energy use in warfare: Potential risks (cont.)
USMC laying fuel lines at start of Iraq War (2003)Source: New York Daily News; “USMC Operational Energy Efforts and Challenges, 9/11 to Now!”
Convoy at Khyber pass, Afghanistan
Copyright © 2013 Deloitte Development LLC. All rights reserved.26 Energy’s role in securing America’s defense
Instability also driven by dependence on oil
Copyright © 2013 Deloitte Development LLC. All rights reserved.27 Energy’s role in securing America’s defense Copyright © 2012 Deloitte Development LLC. All rights reserved.
The New Normal: Current Geostrategic Situation
Questions?
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about
for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest
clients under the rules and regulations of public accounting.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business,financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making anydecision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright © 2013 Deloitte Development LLC. All rights reserved.36 USC 220506Member of Deloitte Touche Tohmatsu Limited