energy industry organizational strategies to increase cyber resiliency
DESCRIPTION
Presented by: Julie Soutuyo, Tennessee Valley Authority Abstract: Over the past 40 years, the energy industry has evolved to a position of dependence upon information technology to accomplish its mission. Cyber attacks have become a “way of life”; as the Nation, industry, organizations, and individuals strive to operate safely and securely in cyberspace. Most rely on a compliance-based “whack-a-mole”; approach to cyber defense which presents multiple barriers to hackers, based on the last attack, with efforts to “hit” any that get inside the organization’s defenses. While still valid, this compliance-based approach has significant challenges: stopping intruders, mitigating the problems they create, and positioning an organization to achieve its mission under a cyber attack. Cyber experts across the Nation are increasingly turning to resiliency as a means for fighting through these attacks with the objective of meeting operational and mission requirements in spite of the attacks. This shift is driving organizations to rethink their organizational structures to achieve unity of effort and streamlined decision-making in the face of a fast paced set of operational demands. This presentation will highlight the strategies to promote a cyber resilient organization.TRANSCRIPT
Julie Soutuyo Senior Program Manager Tennessee Valley Authority
Improving Organiza.onal Resilience to an Increasing and Evolving Threat
EnergySec 9th Annual Security Summit September 18, 2013 Denver, CO
Organiza.onal Cyber Resilience
2
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Table of Contents
• The CEO’s Challenge • Cybersecurity in Context • The Cyber Risk • Possible Solu=ons
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
3
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
On July 25th, our CEO challenged the TVA staff to improve our future economic posture
• Doing so while effec=vely opera=ng across four impera=ves: – Debt, – Rates, – Stewardship, and – Asset PorNolio
• In an opera=ng environment focused on – Trust, – Safety, and – Change
• And a significant evolu=on of our culture • His message was clear…the TVA must undertake major
transforma=on
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
The company is undergoing a transforma.on of business and culture…
• This is an op=mal =me to make progress on communica=ng the benefits of becoming more cyber resilient; – New CEO – Economic challenges – Changes in organiza=onal structure and strategic direc=on
– Increased focus on reducing risk
– An appeal to all employees to be innova=ve in finding solu=ons
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
The challenge is that “Cyber” is not always well understood by u.li.es…
• Cyber security is seen as important but many employees don’t understand the threat: – Cyber terminology is
confusing – Some don’t believe the threat
is “real” – Many feel that sensi=ve
networks and assets are sufficiently isolated
– “No way! I’m not shuZng down to patch anything! My 1995 ICS technology (with no maintenance agreement in place) is safe!!”
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
• Execu=ves are o`en in the same “boat”: – Didn’t we fix that already? – NERC CIP must be addressing
my requirements – Not cri=cal to making
electricity – What am I geZng in return
for this investment? – Who else is experiencing this?
Nobody in the industry? Why am I spending so much????
“Uh, I think your Stuxnet ate my Poison Ivy and caused my Duqu to explode after a
denial of service…..then the Aurora came after the Shamoon and finally, I just decided
to go phishing with my kill chain…”
Note: Cyber Terms are not “common” u.lity jargon!
6
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
A key component of influencing change within an organiza.on’s culture is to tell a story….
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
My story about how to become more cyber resilient starts with the network....
...and ends with TVA in a much better cybersecurity posture by 2020; ready to face next generation cyber threats.
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Like other U.li.es, TVA has many different networks used to operate the company
• Different types of networks across the corporate and power environments are the means for execu=ng the TVA mission
– Opera=ons managed; sensor data and decisions from ICS
– Safely operate and maintain power plants and transmissions systems
– Buy and sell power; bill customers; receive revenues
– Communicate internally and externally – Manage environmental requirements
• These same networks are the target of cyber afacks and the poten=al means for afacking TVA Cri=cal Assets or Business Processes
• The afackers are… – More sophis=cated and effec=ve – With the poten=al for causing serious
disrup=on and even destruc=on of our resources
– Interested in achieving various objec=ves
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
8
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Even as we resolve our financial challenges, we have an opportunity to drive change…
• Working collec=vely on solu=ons to our networked security… – Across func=onal lines that have common ground – To iden=fy mutually suppor=ve solu=ons – Towards becoming opera=onally resilient to cyber afacks – And, the means to tackle the broader financial challenges
• NOW is the =me for developing our cybersecurity resilience to protect our networked resources and con=nue to fulfill our mission requirements – Make recommenda=ons to evolve our cyber opera=ons posture from…
• Compliance • To becoming agile • And ul=mately resilient
– Which will allow TVA to recognize • Enhanced cybersecurity safety • Building trust and confidence across our enterprise and with our customers • Avoid catastrophic costs resul=ng from an increasingly likely cyber afack • While embracing change
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
9
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
1970s. Introduc=on of 1st genera=on “monolithic” SCADA systems
The TVA has been a technology leader through the 20th Century
40s – expanded hydropower construc=on
60s – Introduc=on of nuclear power plants
50s – Largest electricity supplier
70s – 80s – Focus on energy conserva=on
90s – Increased compe==on; clean air focus
2000s – focus on energy, environment, and economic development
1933. TVA established by Congress to address environmental, economic, and technological challenges including delivery of low-‐cost electricity
1969. The Internet (ARPANET) brought on line
1959. Federal appropria=ons ended; TVA becomes self-‐financing
Major TVA events Major Internet events
1991. World Wide Web evolves through new protocol, hypertext
• Explosive growth of the internet • Rise of social networking (e.g., Facebook, Twifer)
• Exponen=al growth of mobility planorms
1982: Internet protocol TCP/IP standardized
1980s. Growth of 2nd genera=on “distributed” SCADA systems
1990s. 3rd genera=on “Networked” SCADA systems
Major cyber a_acks
2000. DDOS afack across commercial web sites ($1.7B in damages)
2010. Stuxnet infected Iranian nuclear facili=es
2009. Merrick Bank lost $16M a`er hackers compromised 40M credit card accounts
2003. Slammer worm infected 90% of vulnerable computers within 10 min ($1B in damage)
1999. Federal appropria=ons for environmental stewardship and economic development ac=vi=es ended
2012. More than 30,000 computers at Saudi Aramco (oil company) destroyed by virus
• IT revolu=onized our industry – Affected every element of power genera=on and delivery – Almost always “bolted on” and not “built in”
• AND…introduced significant risk from cyber afacks – With Increased frequency, from more
adversaries, with greater sophis=ca=on, against more targets, with increased success, …and greater impact
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
10
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
…and technology with the cyber threat has introduced risk to our impera.ves
Change
Trust Safety
Rates • Increases costs from: o Disrup=on of service and restora=on requirements o Legal fees resul=ng from the` or destruc=on of data
• Poten=al loss of customers (par=cularly industrial customers)
Debt • Immediate impact to O&M costs to restore systems damaged or destroyed by a cyber afack o Could cause TVA to exceed its debt threshold
Stewardship • Loss of trust and credibility… o Customers due to loss of privacy data or service outage
o Government due to na=onal power grid impacts
• Safety … placing staff in harms way working to resolve outages
• Economic and environmental impacts resul=ng from destruc=on of major environmentally sensi=ve TVA components
Asset PorNolio • Unstable and/or unreliable cri=cal asset performance
• Poten=al damage, destruc=on, and loss of assets o Both short and long term
The Cyber Threat is driving unwanted change into TVA and in turn is eroding our trust and safety
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
We can control some of the drivers of risk and some we can’t
External Drivers Those we can’t control
• Customers…those whom we serve, with expecta=ons for – Uninterrupted service – Reasonably priced electricity – Protec=on of Personal Iden=fica=on Informa=on and
privacy expecta=ons – Environmental stewardship
• Government (e.g., NERC)…Drive oversight & regula=ons – Drives cost (e.g., changes in “bright line,” EPA requirements) – Expects industry to operate systems securely and safely
(e.g., nuclear facili=es operate in a virtually ‘zero defect environment”)
• Industry…Both Partners/Compe=tors – Jointly managing the Na=on’s power grid
• Vendors…suppor=ng TVA – Drive change with updates and new capabili=es
• Threat Actors (e.g., hac.vists, criminals, Na.on States) – Focused on embarrassment, exploita=on, the`, disrup=on,
and destruc=on – Capable of taking over Industrial Control Systems (ICS) and
corporate networks; shuZng them down; crea=ng significant risk to TVA staff and customers (loss of service; restora=on risks, etc.)
Internal Drivers Those we can control
• TVA Organiza=on – Decentralized, =ered, & distributed
• Staff – The guardians of TVA culture – Both driving and resis=ng change
• Culture – Accountability
• Technology – Constantly increasing the pace of change with
technology refresh, updates, patches, etc.
• Aged Infrastructure – Some is 80 years old…does not always adapt
easily – Cybersecurity technology solu=ons generally
bolted on vice built in
• Funding and Budgets – Bounded (as our CEO reminded us) – Debt ceiling is almost gone
Can Impact our Costs
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
12
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
This isn’t to suggest that only bad things evolve from this challenging period of change
• Large scale change presents an opportunity to examine our approach to cybersecurity • Increase trust in our systems
– Enhance our cybersecurity posture – Revisit how we fund
• How much are we inves=ng now • Percentage of our network coverage • Known risks in different opera=ng environments that have not been addressed (e.g., corporate, nuclear, fossil, etc.) • Which investments would create the maximum value (near, mid, and long term) impact
– Examine cybersecurity across func=onal elements (e.g., IT, Opera=ons, and Supply/Logis=cs) to collec=vely develop ideas and op=ons to befer secure our networks
• Ul=mately, cybersecurity is about risk…and money – How much cybersecurity risk are we willing to accept – At what cost
• To make changes • To avoid poten=al catastrophic costs
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
We are not alone in this struggle…the en6re industry is challenged
13
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
The CEO’s challenge is an opportunity to…
Define the cybersecurity risks we face…
…and the implica6ons for how we secure our networks
Consider the evolving cyber environment… …and the poten6al implica6ons for our future opera6ons
Jointly iden.fy some possible solu.ons…
…and what other op6ons we might consider
Expand our approach to cybersecurity…
…and consider cross organiza6onal, mul6-‐func6onal solu6ons
Redefine our understanding of networks…
…and protect them as vital to execu6ng our mission
Examine the costs of doing so…
…and the poten6al costs of not
Assess the .ming of making changes…
…in the near, mid, or long term
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
Today, the government’s cybersecurity response focuses on regula.ons & standards
The Government Response • NERC CIP has issued 28 documents
detailing Reliability Standards – Set standards for repor=ng, cyber asset
iden=fica=on, system categoriza=on, security management controls, personnel and training standards, management (electronic, physical, and systems security management), configura=on management, informa=on protec=on
– Each includes requirements and measures; for example…
• CIP-‐001-‐2a has 4 requirements and 4 measures
• CIP-‐002-‐3 has 4 requirements with 5 sub-‐requirements and 7 sub-‐sub requirements, and 4 measures
… And Industry Complies • Developed large IT organiza=onal
structures to meet requirements • Expended significant resources to protect
systems and networks • Has not been as likely to adopt
recommenda=ons (vice requirements)
• In fact…compliance, all too oAen is the founda6on and primary means for mi6ga6ng risk … “If I comply, I’m protected”
Standards, requirements, alerts, repor6ng and compliance serve an important func6on for fulfilling organiza6onal objec6ves opera6ng in cyberspace
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
15
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
But, compliance alone is risky and the nature of the energy industry poses addi.onal challenges
Opera.onal Organiza.onal Resourcing
Focus Compliance-based defense (e.g., NERC CIP and NIST guidelines)
Leadership and technical staff from corporate headquarters to distributors are independent
Primarily on O&M (vice capital expenditures) to meet regulatory requirements
Challenges
Complex situational awareness; discerning source of disruption or destruction between routine failures vice cyber attacks
Need to integrate across diverse operational platforms to establish an operational framework and increase employee awareness
Increased costs • Operating and maintaining multiple IT
solutions and architectures • Executing compliance requirements
across multiple organizational elements
• Capital IT expenditures are accomplished independently; plants, vendors, distributors adopt different solutions that frequently aren’t interoperable or require expensive interfaces
• Missed opportunities to gain efficiencies and savings through consolidated, organization-wide negotiations with vendors (vendors often drive solutions)
Limited response actions: • Frequently “after the event” • Reluctance to shut systems
down Organiza=on-‐wide solu=ons to cyber afacks difficult and costly due to loose federa=on of IT infrastructures, complex and different network environments, requiring specialized solu=ons
Slowed response waiting for developed, tested, deployed, and approved solutions
Result Increased potential for success of cyber attacks with resulting
energy disruption, loss of data and corresponding legal and financial impacts
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
16
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Those challenges affect our ability to respond quickly…and in cyberspace it’s all about speed
“Time is Money” was never more true…and it’s not just one cyber aKack…it’s hundreds…thousands and they aren’t going to stop… because it works
Discovery Detec=on Response Recovery
• Time between discovery of a zero day vulnerability and the development, tes=ng, deployment, and implementa=on of a solu=on
• Time between a successful breach of a network/system and discovery by the organiza=on
• Time to develop, test, deploy, and implement solu=ons
• Time to restore network/systems to full opera=onal capabili=es
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
17
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
…and cyberspace is not gehng any slower or safer
• Cyber afacks are increasing every day – Across the Na=on – Our industry – …and against TVA
• Using a wide variety of methodologies – “Phishing” … social engineering of email – Malware … plan=ng tools and so`ware
in our networks – Denial of Service … denying us and our
customers access to our networks – Ransomware … hijacking computers
forcing payment for release • And it’s not going to get any befer for
the foreseeable future – …because it works
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
• DHS reported 198 afacks on cri=cal U.S. infrastructure in 2012…up from 9 in 2009
• In 2012 , ICS-‐CERT tracked 171 unique vulnerabili=es affec=ng ICS products across 55 vendors
• The TVA experienced an almost 30% increase in afacks year over year
• Over the last quarter, DELL SecureWorks has escalated 269 incidents beyond the SOC
18
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Given “Time is Money”…we must…
• Be more than compliant…compliance ac6vi6es are “table stakes” • Be faster…
– Iden=fy vulnerabili=es faster across the enterprise – Iden=fy afacks faster – Work the development, tes=ng, and deployment of
solu=ons faster – Make decisions faster – Restore networks and systems faster
• Be more agile by crea=ng response op:ons vice just “stopping the pain” • Systema=cally build a plan towards becoming resilient, able to meet mission
requirements by “figh=ng through” cyber afacks • We need a paradigm shi` in our approach beyond compliance to become agile
and ul=mately resilient
Time/Speed
Mon
ey
Cost of a Cyber Afack $$$
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu=ons
The average cost of a breach is about $188 per stolen record, and the average loss per incident is $9.4 million
Ponemon Ins=tute
19
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
A journey towards resilience can be itera.ve
Compliant
• Con=nue to meet requirements
• Expand to execu=ng NERC/NIST recommenda=ons
• Develop op=ons for becoming more agile and make plans to become resilient
• Evolve the TVA culture to embrace cybersecurity safety
Agile
• Harden network infrastructure and develop op=ons and alterna=ves to become more robust to withstanding cyber afacks
• Develop architectures and acquisi=on strategies that will serve as the founda=on for becoming resilient
• 1-‐3 year =me frame to develop and deploy in stages
Resilient
• Build security in to our infrastructure
• Execute a plan and suppor=ng architectures and acquisi=on strategy
• Withstand, mi=gate, and defeat cyber afacks with planned, rehearsed, responses that ensure mission execu=on
• 3-‐7 years synchronized with other programs and opera=ons across TVA
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons
3-‐7 Years 1-‐3 Years Today
20
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Resiliency is a complex set of ac.vi.es that must be programmed into our “opera.onal DNA” and be…
…Planned …Prac.ced …Unified … and Resourced • Execute compliance based requirements…as well as recommenda=ons
• Develop IT/Cyber architecture integrated with other u=lity disciplines for next genera=on systems
• With corresponding and suppor=ng policy implementa=ons
• And suppor=ng acquisi.on strategies for the “long haul”
• Interdependencies must be understood and documented
• Services, data storage, system cri=cality must be documented in advance to program response ac=ons in a =mely manner
• Cyber resiliency must be prac=ced
• Leaders and technical staff trained and exercised in roles and responsibili=es
• Immediate ac=on drills must be documented and rehearsed
Across large, diverse, decentralized organiza=ons (e.g., TVA) requires: • Coordinated and integrated architectures
• Standardize with “controlled diversity” of approved tools, equipment and vendors
• Comprehensive situa=onal awareness across all components
• Consolidated and centralized decision – making…there’s no =me for debate
• Acquisi.on strategy that addresses resiliency requirements
• Supports security architectures
• Maximize IT/cyber resources and interoperability through vendor strategies
• Redundant (backup) resources must be iden=fied and if necessary resourced
We may not simply declare we are resilient; rather it requires a set of comprehensive reforms organiza:onally to evolve itself.
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons
21
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
We’ve proposed some “ideas” as a start point for op.ons leading to resilience that are…
• By no means comprehensive – But intended to get the discussion started
• Grouped by – Network and Security Capabili=es – Engineering – Organiza=onal – Supply Chain – Enterprise Risk Management
• Characterized along spectrums of… – Costs (low, moderate, and high) – Time (near, mid, and long)
• Opportuni=es for the TVA staff – To embrace and drive essen=al change across our organiza=on – Build trust in an environment of shared cybersecurity safety – To leverage the unique cross func=onal quali=es of IT/Cyber
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Network and Security Capabili.es
• Embed TVA-‐wide IT/Cyber situa.onal awareness within exis=ng TVA opera=ons center(s) with complete performance view of corporate and power WAN and LAN networks
– Provide 100% situa=onal awareness of ALL TVA (transmission, IT, nuclear, etc.)
– Efficiencies and cost savings – High Cost – Long Term
• Enhanced Incident Response capabili.es across the en=re enterprise
– Enhance Unity of Effort and decrease response =mes
– Low Cost – Near Term
• Evaluate cybersecurity effec.veness of network carriers and embed corresponding requirements in contracts
– Create op=ons to increase robust network capabili=es and capacity
– Low Cost – Mid Term
• Work with vendors to ensure cybersecurity is built in to their products including situa.onal awareness
– Moderate Cost – Long Term
• Examine op.ons for establishing the means for tes.ng Vendor products and our own (e.g., incorporated network firewalls, wireless encryp=on and DMZ’s as the primary maintenance and diagnos=c hub for plant )
– Require Vendor cer=fica=on through the facility – Moderate cost – Mid Term
• Con.nue to expand and build on current government rela.onships at the network level and through policies and procedures
– Low Cost – Near Term
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons
…and…
Engineering • Embed cybersecurity technology in all
Engineering ini.a.ves and architectures (all forms, civil, mechanical, power, IT) as a requirement for program approval
– Require resiliency strategies in opera=onal and acquisi=on reviews and escalate the concept into the strategic plan
– Cultural shi` – Low cost – Near Term
• Build an IT/cyber architecture that captures the ideas, op=ons, and plans for securing the network to serve as the founda=on of our cyber resiliency
– Low Cost – Mid Term
• Improve and invest in data reten.on and back-‐up strategies across TVA (corporate IT and plant) to enable recovery when needed
– Moderate Costs – Mid Term
Organiza.onal • Inextricably bind security and safety e.g. “If it’s
not secure, it’s not safe” – Culture shi`…safely opera=ng network, individual
computers, etc. – Low Cost – Near Term
• Promote cybersecurity safety across the TVA (e.g., staff, customers, vendors, etc.)
– For smart grid, demand response, financial, and other inter-‐connec=ons
– Low Cost – Near Term
• A_ract and recruit technology companies into Tennessee Valley who build programmable components and thereby enhance the defense industrial base security and that of u=li=es/cri=cal infrastructure
– Manufacturers become customers – Low Cost – Long Term
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons
…and…
Supply Chain • Perform a source of supply analysis on
programmable logic components (relays, switches, routers, etc.) to determine country of origin; conduct cost-‐benefit analysis for replacing PLCs per risk analysis
– Low Cost – Near Term • Increase security specifica.ons on all acquisi=ons
– Low Cost – Near Term • Reward vendors and partners who exhibit
excep.onal security performance – Contractual requirements, measures, and
rewards for securely maintaining vendor supplied technologies
– Create vendor guidelines for security standards through contracts
– Low Cost – Near, Mid, and Long Term (contract dependent)
• Use pre-‐ve_ed Government contract vehicles to acquire security services when possible
– Low Cost – Near Term
Enterprise Risk Management • Raise cyber risk awareness
– Understand the impact of cyber threats to all current TVA Risks
– Low Cost – Near Term
• Adjust Enterprise Risk Management (ERM) to more fully address financial implica=ons of the risks and impacts of cyber afacks
– Low Cost – Near Term
• Expand opera.onal risk view to “look outside the fence” and ensure communica=ons and collabora=on are occurring with en==es external and internal to TVA
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons
25
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
We won’t get there overnight … but we need to start now
Acquisi=on strategy drawn from a comprehensive architecture to balance capital with O&M expenditures
Consolidate IT Architecture to guide IT and cyber decisions Vendor/Supplier DMZ established elimina=ng remotely managed systems
Mission Cri=cal Environment for management of most important data and systems
“Smart Grid” deployment
Unified cyber incidence response strategy Ideas – Op=ons – Plan
Embed IT/Cyber situa=onal awareness capabili=es in opera=ons
Create so`ware, hardware tes=ng capability including wireless & mobility
Publish Vendor Security requirements
2013 -‐ Compliant (meet requirements)
2016 -‐ Agile (have op=ons)
2020 – Resilient (cybersecurity built in)
The Threat
Build/Expand cyber intelligence sources
Perform source supply analysis of cri=cal cyber components
Afract/recruit technology companies to the valley
Our goal must be to close this gap
The CEO’s Challenge Cybersecurity in Context The Cyber Risk Possible Solu.ons
In the 20th Century TVA built an incredible economic engine for the Nation and benefited immeasurably from advances in technology; In the 21st Century we must now transform how
we employ that technology to protect our mission
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
So here is the bo_om line
• We face serious financial challenges • Over the past 50 years, advances in technology
made significant contribu=ons to achieving the TVA mission
– Today, virtually everything we do, depends on the network
– That reliance has introduced significant business risk … and the cyber threat is growing
• Our approach to cybersecurity has been par=ally compliance based…but we are making cuZng edge investments to develop a broader capability and have been lauded by mul=ple agencies for our dynamic approach
• We s=ll need a paradigm shi` across the agency
– Con=nue to be fully compliant – Increase response op=ons to become
resilient; focused on con=nuing the mission – Engineer cybersecurity standards in the
system design process and a suppor=ng cyber/IT acquisi=on strategy
• We’ve captured ideas from across the TVA … we need to examine them and iden=fy more
• And as we do so… fulfill our CEO’s challenge
• And the broader set of benefits we may derive are compelling
– Serve as an industry leader for how to integrate cybersecurity and energy/power
– Leverage the collec=ve efforts to evolve our culture
– Exercise cross func=onal ini=a=ves in developing workable op=ons
– Enhance both trust and safety through the process
There will be costs…but the cost of doing nothing could be staggering
TVA Restricted Informa=on – Delibera=ve and Pre-‐Decisional Privileged
Tennessee Valley Authority Julie Soutuyo Senior Program Manager Email: [email protected] Phone: (703) 862-‐0819
Discussion, Ques.ons, and Feedback Discussion, Ques=ons & Feedback