energy industry organizational strategies to increase cyber resiliency

Julie Soutuyo Senior Program Manager Tennessee Valley Authority

Improving Organiza.onal Resilience to an Increasing and Evolving Threat

EnergySec 9th Annual Security Summit September 18, 2013 Denver, CO

Organiza.onal Cyber Resilience

2

TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged

Table of Contents

•  The CEO’s Challenge •  Cybersecurity in Context •  The Cyber Risk •  Possible Solu=ons

The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons

3


On July 25th, our CEO challenged the TVA staff to improve our future economic posture

•  Doing so while effec=vely opera=ng across four impera=ves: –  Debt, –  Rates, –  Stewardship, and –  Asset PorNolio

•  In an opera=ng environment focused on –  Trust, –  Safety, and –  Change

•  And a significant evolu=on of our culture •  His message was clear…the TVA must undertake major

transforma=on



The company is undergoing a transforma.on of business and culture…

•  This is an op=mal =me to make progress on communica=ng the benefits of becoming more cyber resilient; –  New CEO –  Economic challenges –  Changes in organiza=onal structure and strategic direc=on

–  Increased focus on reducing risk

–  An appeal to all employees to be innova=ve in finding solu=ons



The challenge is that “Cyber” is not always well understood by u.li.es…

•  Cyber security is seen as important but many employees don’t understand the threat: –  Cyber terminology is

confusing –  Some don’t believe the threat

is “real” –  Many feel that sensi=ve

networks and assets are sufficiently isolated

–  “No way! I’m not shuZng down to patch anything! My 1995 ICS technology (with no maintenance agreement in place) is safe!!”


•  Execu=ves are o`en in the same “boat”: –  Didn’t we fix that already? –  NERC CIP must be addressing

my requirements –  Not cri=cal to making

electricity –  What am I geZng in return

for this investment? –  Who else is experiencing this?

Nobody in the industry? Why am I spending so much????

“Uh, I think your Stuxnet ate my Poison Ivy and caused my Duqu to explode after a

denial of service…..then the Aurora came after the Shamoon and finally, I just decided

to go phishing with my kill chain…”

Note: Cyber Terms are not “common” u.lity jargon!

6


A key component of influencing change within an organiza.on’s culture is to tell a story….


My story about how to become more cyber resilient starts with the network....

...and ends with TVA in a much better cybersecurity posture by 2020; ready to face next generation cyber threats.


Like other U.li.es, TVA has many different networks used to operate the company

•  Different types of networks across the corporate and power environments are the means for execu=ng the TVA mission

–  Opera=ons managed; sensor data and decisions from ICS

–  Safely operate and maintain power plants and transmissions systems

–  Buy and sell power; bill customers; receive revenues

–  Communicate internally and externally –  Manage environmental requirements

•  These same networks are the target of cyber afacks and the poten=al means for afacking TVA Cri=cal Assets or Business Processes

•  The afackers are… –  More sophis=cated and effec=ve –  With the poten=al for causing serious

disrup=on and even destruc=on of our resources

–  Interested in achieving various objec=ves


8


Even as we resolve our financial challenges, we have an opportunity to drive change…

•  Working collec=vely on solu=ons to our networked security… –  Across func=onal lines that have common ground –  To iden=fy mutually suppor=ve solu=ons –  Towards becoming opera=onally resilient to cyber afacks –  And, the means to tackle the broader financial challenges

•  NOW is the =me for developing our cybersecurity resilience to protect our networked resources and con=nue to fulfill our mission requirements –  Make recommenda=ons to evolve our cyber opera=ons posture from…

•  Compliance •  To becoming agile •  And ul=mately resilient

–  Which will allow TVA to recognize •  Enhanced cybersecurity safety •  Building trust and confidence across our enterprise and with our customers •  Avoid catastrophic costs resul=ng from an increasingly likely cyber afack •  While embracing change


9


1970s. Introduc=on of 1st genera=on “monolithic” SCADA systems

The TVA has been a technology leader through the 20th Century

40s – expanded hydropower construc=on

60s – Introduc=on of nuclear power plants

50s – Largest electricity supplier

70s – 80s – Focus on energy conserva=on

90s – Increased compe==on; clean air focus

2000s – focus on energy, environment, and economic development

1933. TVA established by Congress to address environmental, economic, and technological challenges including delivery of low-‐cost electricity

1969. The Internet (ARPANET) brought on line

1959. Federal appropria=ons ended; TVA becomes self-‐financing

Major TVA events Major Internet events

1991. World Wide Web evolves through new protocol, hypertext

• Explosive growth of the internet • Rise of social networking (e.g., Facebook, Twifer)

• Exponen=al growth of mobility planorms

1982: Internet protocol TCP/IP standardized

1980s. Growth of 2nd genera=on “distributed” SCADA systems

1990s. 3rd genera=on “Networked” SCADA systems

Major cyber a_acks

2000. DDOS afack across commercial web sites ($1.7B in damages)

2010. Stuxnet infected Iranian nuclear facili=es

2009. Merrick Bank lost $16M a`er hackers compromised 40M credit card accounts

2003. Slammer worm infected 90% of vulnerable computers within 10 min ($1B in damage)

1999. Federal appropria=ons for environmental stewardship and economic development ac=vi=es ended

2012. More than 30,000 computers at Saudi Aramco (oil company) destroyed by virus

•  IT revolu=onized our industry –  Affected every element of power genera=on and delivery –  Almost always “bolted on” and not “built in”

•  AND…introduced significant risk from cyber afacks –  With Increased frequency, from more

adversaries, with greater sophis=ca=on, against more targets, with increased success, …and greater impact


10


…and technology with the cyber threat has introduced risk to our impera.ves

Change

Trust Safety

Rates •  Increases costs from: o  Disrup=on of service and restora=on requirements o  Legal fees resul=ng from the` or destruc=on of data

•  Poten=al loss of customers (par=cularly industrial customers)

Debt •  Immediate impact to O&M costs to restore systems damaged or destroyed by a cyber afack o  Could cause TVA to exceed its debt threshold

Stewardship •  Loss of trust and credibility… o  Customers due to loss of privacy data or service outage

o  Government due to na=onal power grid impacts

•  Safety … placing staff in harms way working to resolve outages

•  Economic and environmental impacts resul=ng from destruc=on of major environmentally sensi=ve TVA components

Asset PorNolio • Unstable and/or unreliable cri=cal asset performance

•  Poten=al damage, destruc=on, and loss of assets o  Both short and long term

The Cyber Threat is driving unwanted change into TVA and in turn is eroding our trust and safety


We can control some of the drivers of risk and some we can’t

External Drivers Those we can’t control

•  Customers…those whom we serve, with expecta=ons for –  Uninterrupted service –  Reasonably priced electricity –  Protec=on of Personal Iden=fica=on Informa=on and

privacy expecta=ons –  Environmental stewardship

•  Government (e.g., NERC)…Drive oversight & regula=ons –  Drives cost (e.g., changes in “bright line,” EPA requirements) –  Expects industry to operate systems securely and safely

(e.g., nuclear facili=es operate in a virtually ‘zero defect environment”)

•  Industry…Both Partners/Compe=tors –  Jointly managing the Na=on’s power grid

•  Vendors…suppor=ng TVA –  Drive change with updates and new capabili=es

•  Threat Actors (e.g., hac.vists, criminals, Na.on States) –  Focused on embarrassment, exploita=on, the`, disrup=on,

and destruc=on –  Capable of taking over Industrial Control Systems (ICS) and

corporate networks; shuZng them down; crea=ng significant risk to TVA staff and customers (loss of service; restora=on risks, etc.)

Internal Drivers Those we can control

•  TVA Organiza=on –  Decentralized, =ered, & distributed

•  Staff –  The guardians of TVA culture –  Both driving and resis=ng change

•  Culture –  Accountability

•  Technology –  Constantly increasing the pace of change with

technology refresh, updates, patches, etc.

•  Aged Infrastructure –  Some is 80 years old…does not always adapt

easily –  Cybersecurity technology solu=ons generally

bolted on vice built in

•  Funding and Budgets –  Bounded (as our CEO reminded us) –  Debt ceiling is almost gone

Can Impact our Costs


12


This isn’t to suggest that only bad things evolve from this challenging period of change

•  Large scale change presents an opportunity to examine our approach to cybersecurity •  Increase trust in our systems

–  Enhance our cybersecurity posture –  Revisit how we fund

•  How much are we inves=ng now •  Percentage of our network coverage •  Known risks in different opera=ng environments that have not been addressed (e.g., corporate, nuclear, fossil, etc.) •  Which investments would create the maximum value (near, mid, and long term) impact

–  Examine cybersecurity across func=onal elements (e.g., IT, Opera=ons, and Supply/Logis=cs) to collec=vely develop ideas and op=ons to befer secure our networks

•  Ul=mately, cybersecurity is about risk…and money –  How much cybersecurity risk are we willing to accept –  At what cost

•  To make changes •  To avoid poten=al catastrophic costs


We are not alone in this struggle…the en6re industry is challenged

13


The CEO’s challenge is an opportunity to…

Define the cybersecurity risks we face…

…and the implica6ons for how we secure our networks

Consider the evolving cyber environment… …and the poten6al implica6ons for our future opera6ons

Jointly iden.fy some possible solu.ons…

…and what other op6ons we might consider

Expand our approach to cybersecurity…

…and consider cross organiza6onal, mul6-‐func6onal solu6ons

Redefine our understanding of networks…

…and protect them as vital to execu6ng our mission

Examine the costs of doing so…

…and the poten6al costs of not

Assess the .ming of making changes…

…in the near, mid, or long term


Today, the government’s cybersecurity response focuses on regula.ons & standards

The Government Response •  NERC CIP has issued 28 documents

detailing Reliability Standards –  Set standards for repor=ng, cyber asset

iden=fica=on, system categoriza=on, security management controls, personnel and training standards, management (electronic, physical, and systems security management), configura=on management, informa=on protec=on

–  Each includes requirements and measures; for example…

•  CIP-‐001-‐2a has 4 requirements and 4 measures

•  CIP-‐002-‐3 has 4 requirements with 5 sub-‐requirements and 7 sub-‐sub requirements, and 4 measures

… And Industry Complies •  Developed large IT organiza=onal

structures to meet requirements •  Expended significant resources to protect

systems and networks •  Has not been as likely to adopt

recommenda=ons (vice requirements)

•  In fact…compliance, all too oAen is the founda6on and primary means for mi6ga6ng risk … “If I comply, I’m protected”

Standards, requirements, alerts, repor6ng and compliance serve an important func6on for fulfilling organiza6onal objec6ves opera6ng in cyberspace


15


But, compliance alone is risky and the nature of the energy industry poses addi.onal challenges

Opera.onal Organiza.onal Resourcing

Focus Compliance-based defense (e.g., NERC CIP and NIST guidelines)

Leadership and technical staff from corporate headquarters to distributors are independent

Primarily on O&M (vice capital expenditures) to meet regulatory requirements

Challenges

Complex situational awareness; discerning source of disruption or destruction between routine failures vice cyber attacks

Need to integrate across diverse operational platforms to establish an operational framework and increase employee awareness

Increased costs •  Operating and maintaining multiple IT

solutions and architectures •  Executing compliance requirements

across multiple organizational elements

•  Capital IT expenditures are accomplished independently; plants, vendors, distributors adopt different solutions that frequently aren’t interoperable or require expensive interfaces

•  Missed opportunities to gain efficiencies and savings through consolidated, organization-wide negotiations with vendors (vendors often drive solutions)

Limited response actions: •  Frequently “after the event” •  Reluctance to shut systems

down Organiza=on-‐wide solu=ons to cyber afacks difficult and costly due to loose federa=on of IT infrastructures, complex and different network environments, requiring specialized solu=ons

Slowed response waiting for developed, tested, deployed, and approved solutions

Result Increased potential for success of cyber attacks with resulting

energy disruption, loss of data and corresponding legal and financial impacts


16


Those challenges affect our ability to respond quickly…and in cyberspace it’s all about speed

“Time is Money” was never more true…and it’s not just one cyber aKack…it’s hundreds…thousands and they aren’t going to stop… because it works

Discovery Detec=on Response Recovery

• Time between discovery of a zero day vulnerability and the development, tes=ng, deployment, and implementa=on of a solu=on

• Time between a successful breach of a network/system and discovery by the organiza=on

• Time to develop, test, deploy, and implement solu=ons

• Time to restore network/systems to full opera=onal capabili=es


17


…and cyberspace is not gehng any slower or safer

•  Cyber afacks are increasing every day –  Across the Na=on –  Our industry –  …and against TVA

•  Using a wide variety of methodologies –  “Phishing” … social engineering of email –  Malware … plan=ng tools and so`ware

in our networks –  Denial of Service … denying us and our

customers access to our networks –  Ransomware … hijacking computers

forcing payment for release •  And it’s not going to get any befer for

the foreseeable future –  …because it works


•  DHS reported 198 afacks on cri=cal U.S. infrastructure in 2012…up from 9 in 2009

•  In 2012 , ICS-‐CERT tracked 171 unique vulnerabili=es affec=ng ICS products across 55 vendors

•  The TVA experienced an almost 30% increase in afacks year over year

•  Over the last quarter, DELL SecureWorks has escalated 269 incidents beyond the SOC

18


Given “Time is Money”…we must…

•  Be more than compliant…compliance ac6vi6es are “table stakes” •  Be faster…

–  Iden=fy vulnerabili=es faster across the enterprise –  Iden=fy afacks faster –  Work the development, tes=ng, and deployment of

solu=ons faster –  Make decisions faster –  Restore networks and systems faster

•  Be more agile by crea=ng response op:ons vice just “stopping the pain” •  Systema=cally build a plan towards becoming resilient, able to meet mission

requirements by “figh=ng through” cyber afacks •  We need a paradigm shi` in our approach beyond compliance to become agile

and ul=mately resilient

Time/Speed

Mon

ey

Cost of a Cyber Afack $$$


The average cost of a breach is about $188 per stolen record, and the average loss per incident is $9.4 million

Ponemon Ins=tute

19


A journey towards resilience can be itera.ve

Compliant

•  Con=nue to meet requirements

•  Expand to execu=ng NERC/NIST recommenda=ons

•  Develop op=ons for becoming more agile and make plans to become resilient

•  Evolve the TVA culture to embrace cybersecurity safety

Agile

•  Harden network infrastructure and develop op=ons and alterna=ves to become more robust to withstanding cyber afacks

•  Develop architectures and acquisi=on strategies that will serve as the founda=on for becoming resilient

•  1-‐3 year =me frame to develop and deploy in stages

Resilient

•  Build security in to our infrastructure

•  Execute a plan and suppor=ng architectures and acquisi=on strategy

•  Withstand, mi=gate, and defeat cyber afacks with planned, rehearsed, responses that ensure mission execu=on

•  3-‐7 years synchronized with other programs and opera=ons across TVA

The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons

3-‐7 Years 1-‐3 Years Today

20


Resiliency is a complex set of ac.vi.es that must be programmed into our “opera.onal DNA” and be…

…Planned …Prac.ced …Unified … and Resourced •  Execute compliance based requirements…as well as recommenda=ons

•  Develop IT/Cyber architecture integrated with other u=lity disciplines for next genera=on systems

•  With corresponding and suppor=ng policy implementa=ons

•  And suppor=ng acquisi.on strategies for the “long haul”

•  Interdependencies must be understood and documented

•  Services, data storage, system cri=cality must be documented in advance to program response ac=ons in a =mely manner

•  Cyber resiliency must be prac=ced

•  Leaders and technical staff trained and exercised in roles and responsibili=es

•  Immediate ac=on drills must be documented and rehearsed

Across large, diverse, decentralized organiza=ons (e.g., TVA) requires: •  Coordinated and integrated architectures

•  Standardize with “controlled diversity” of approved tools, equipment and vendors

•  Comprehensive situa=onal awareness across all components

•  Consolidated and centralized decision – making…there’s no =me for debate

•  Acquisi.on strategy that addresses resiliency requirements

•  Supports security architectures

•  Maximize IT/cyber resources and interoperability through vendor strategies

•  Redundant (backup) resources must be iden=fied and if necessary resourced

We may not simply declare we are resilient; rather it requires a set of comprehensive reforms organiza:onally to evolve itself.


21


We’ve proposed some “ideas” as a start point for op.ons leading to resilience that are…

•  By no means comprehensive –  But intended to get the discussion started

•  Grouped by –  Network and Security Capabili=es –  Engineering –  Organiza=onal –  Supply Chain –  Enterprise Risk Management

•  Characterized along spectrums of… –  Costs (low, moderate, and high) –  Time (near, mid, and long)

•  Opportuni=es for the TVA staff –  To embrace and drive essen=al change across our organiza=on –  Build trust in an environment of shared cybersecurity safety –  To leverage the unique cross func=onal quali=es of IT/Cyber



Network and Security Capabili.es

•  Embed TVA-‐wide IT/Cyber situa.onal awareness within exis=ng TVA opera=ons center(s) with complete performance view of corporate and power WAN and LAN networks

–  Provide 100% situa=onal awareness of ALL TVA (transmission, IT, nuclear, etc.)

–  Efficiencies and cost savings –  High Cost – Long Term

•  Enhanced Incident Response capabili.es across the en=re enterprise

–  Enhance Unity of Effort and decrease response =mes

–  Low Cost – Near Term

•  Evaluate cybersecurity effec.veness of network carriers and embed corresponding requirements in contracts

–  Create op=ons to increase robust network capabili=es and capacity

–  Low Cost – Mid Term

•  Work with vendors to ensure cybersecurity is built in to their products including situa.onal awareness

–  Moderate Cost – Long Term

•  Examine op.ons for establishing the means for tes.ng Vendor products and our own (e.g., incorporated network firewalls, wireless encryp=on and DMZ’s as the primary maintenance and diagnos=c hub for plant )

–  Require Vendor cer=fica=on through the facility –  Moderate cost – Mid Term

•  Con.nue to expand and build on current government rela.onships at the network level and through policies and procedures



…and…

Engineering •  Embed cybersecurity technology in all

Engineering ini.a.ves and architectures (all forms, civil, mechanical, power, IT) as a requirement for program approval

–  Require resiliency strategies in opera=onal and acquisi=on reviews and escalate the concept into the strategic plan

–  Cultural shi` –  Low cost – Near Term

•  Build an IT/cyber architecture that captures the ideas, op=ons, and plans for securing the network to serve as the founda=on of our cyber resiliency

–  Low Cost – Mid Term

•  Improve and invest in data reten.on and back-‐up strategies across TVA (corporate IT and plant) to enable recovery when needed

–  Moderate Costs – Mid Term

Organiza.onal •  Inextricably bind security and safety e.g. “If it’s

not secure, it’s not safe” –  Culture shi`…safely opera=ng network, individual

computers, etc. –  Low Cost – Near Term

•  Promote cybersecurity safety across the TVA (e.g., staff, customers, vendors, etc.)

–  For smart grid, demand response, financial, and other inter-‐connec=ons


•  A_ract and recruit technology companies into Tennessee Valley who build programmable components and thereby enhance the defense industrial base security and that of u=li=es/cri=cal infrastructure

–  Manufacturers become customers –  Low Cost – Long Term


…and…

Supply Chain •  Perform a source of supply analysis on

programmable logic components (relays, switches, routers, etc.) to determine country of origin; conduct cost-‐benefit analysis for replacing PLCs per risk analysis

–  Low Cost – Near Term •  Increase security specifica.ons on all acquisi=ons

–  Low Cost – Near Term •  Reward vendors and partners who exhibit

excep.onal security performance –  Contractual requirements, measures, and

rewards for securely maintaining vendor supplied technologies

–  Create vendor guidelines for security standards through contracts

–  Low Cost – Near, Mid, and Long Term (contract dependent)

•  Use pre-‐ve_ed Government contract vehicles to acquire security services when possible


Enterprise Risk Management •  Raise cyber risk awareness

–  Understand the impact of cyber threats to all current TVA Risks


•  Adjust Enterprise Risk Management (ERM) to more fully address financial implica=ons of the risks and impacts of cyber afacks


•  Expand opera.onal risk view to “look outside the fence” and ensure communica=ons and collabora=on are occurring with en==es external and internal to TVA


25


We won’t get there overnight … but we need to start now

Acquisi=on strategy drawn from a comprehensive architecture to balance capital with O&M expenditures

Consolidate IT Architecture to guide IT and cyber decisions Vendor/Supplier DMZ established elimina=ng remotely managed systems

Mission Cri=cal Environment for management of most important data and systems

“Smart Grid” deployment

Unified cyber incidence response strategy Ideas – Op=ons – Plan

Embed IT/Cyber situa=onal awareness capabili=es in opera=ons

Create so`ware, hardware tes=ng capability including wireless & mobility

Publish Vendor Security requirements

2013 -‐ Compliant (meet requirements)

2016 -‐ Agile (have op=ons)

2020 – Resilient (cybersecurity built in)

The Threat

Build/Expand cyber intelligence sources

Perform source supply analysis of cri=cal cyber components

Afract/recruit technology companies to the valley

Our goal must be to close this gap


In the 20th Century TVA built an incredible economic engine for the Nation and benefited immeasurably from advances in technology; In the 21st Century we must now transform how

we employ that technology to protect our mission


So here is the bo_om line

•  We face serious financial challenges •  Over the past 50 years, advances in technology

made significant contribu=ons to achieving the TVA mission

–  Today, virtually everything we do, depends on the network

–  That reliance has introduced significant business risk … and the cyber threat is growing

•  Our approach to cybersecurity has been par=ally compliance based…but we are making cuZng edge investments to develop a broader capability and have been lauded by mul=ple agencies for our dynamic approach

•  We s=ll need a paradigm shi` across the agency

–  Con=nue to be fully compliant –  Increase response op=ons to become

resilient; focused on con=nuing the mission –  Engineer cybersecurity standards in the

system design process and a suppor=ng cyber/IT acquisi=on strategy

•  We’ve captured ideas from across the TVA … we need to examine them and iden=fy more

•  And as we do so… fulfill our CEO’s challenge

•  And the broader set of benefits we may derive are compelling

–  Serve as an industry leader for how to integrate cybersecurity and energy/power

–  Leverage the collec=ve efforts to evolve our culture

–  Exercise cross func=onal ini=a=ves in developing workable op=ons

–  Enhance both trust and safety through the process

There will be costs…but the cost of doing nothing could be staggering


Tennessee Valley Authority Julie Soutuyo Senior Program Manager Email: [email protected] Phone: (703) 862-‐0819

Discussion, Ques.ons, and Feedback Discussion, Ques=ons & Feedback

energy industry organizational strategies to increase cyber resiliency

Technology

o execu

ons towardsbecomingopera

cyber resilient starts

ve withthepoten

generation cyber threats

ngthetvamission opera

almeansforafacking tvacri

metomakeprogresson communica