perspectives on protecting your utility against physical ... · pdf fileperspectives on...
TRANSCRIPT
leidos.com/infrastructure
Perspectives on Protecting Your Utility against Physical and Cyber Attacks
Track A
Presented by:
Stephen F. Schneider, PE
July 26, 2016
2 © Leidos. All rights reserved. leidos.com/infrastructure
Environment
and Civil
Infrastructures
Security Health and
Wellness
Clean Air,
Water and
Food Safety
Power and
Electricity
Natural
Resource
Optimization
NATIONAL
SECURITY HEALTH INFRASTRUCTURE
Converging National Security Expertise and Utility Grid Engineering Experience
› Largest cyber provider for the National Security Agency – > 850 cyber-related security projects
› #7 Top Design Firms: Transmission and Distribution (Engineering News-Record)
› Top 20 Cybersecurity Companies (Visiongain)
Leidos: Tackling Enduring Challenges of Significance
3 © Leidos. All rights reserved. leidos.com/infrastructure
Topics
> Security Background
> Physical Security
> Threats, Vulnerabilities, and Risks
> Developing the Security Plan
> Moving Beyond “Just Walls”
> Cybersecurity Threats and Their Impacts
5 © Leidos. All rights reserved. leidos.com/infrastructure
U.S. Electric Grid: Current Condition
> 2,100 high voltage
transformers at 345 kV or
above
> Electric grid soft spot
> Critical impact
> Relatively easy impact
> Large number of targets
> Long lead time to replace
> Difficult to repair
> Hard to move
> Highly interconnected
> Limited spares/expensive Diagram courtesy of Congressional Research Service.
Sources: GIS data from Platts, HSIP Gold 2013 (Ventyx), and ESRI.
6 © Leidos. All rights reserved. leidos.com/infrastructure
The Evolution of Critical Infrastructure Protection Requirements
External Threat
Profiles
Social Engineering
Physical Attack
Non-Compliance Fines
Cyber Attack
Utility Systems
People
Facilities
Processes
Technology
Internal Threat Profiles
Disgruntled Staff
Sabotage
Reputation
Data Manipulation
Responding requires planned and coordinated
efforts across the organization
10 © Leidos. All rights reserved. leidos.com/infrastructure
Spirit and Intent of NERC CIP 014
Protect, deter potential threats to utility facilities, substations, and
control centers that if rendered inoperable or severely damaged
could result in widespread instability, uncontrolled separation, or
cascading failures within an interconnection
11 © Leidos. All rights reserved. leidos.com/infrastructure
NERC CIP Requirements
Requirement Goal
R1 Initial assessment
R2 Independent review of initial assessment
R3 Coordination between operator and owner
R4 Threat and vulnerability assessment
R5 Development and implementation of physical security plan
R6 Third party assessment
leidos.com/infrastructure
Threats and Vulnerability Assessment
Protecting the Grid with an Integrated Plan
13 © Leidos. All rights reserved. leidos.com/infrastructure
High Level R4 Methodology
Impact Assessment
Threat ID and Rating
Vulnerability Assessment
Risk Assessment
Mitigation Options /
Risk Management
14 © Leidos. All rights reserved. leidos.com/infrastructure
Simplifying the Components of a Threat and Vulnerability Assessment
> Who: Adversary Threat
> Why: Intent to harm Threat
> How: Capability Threat
> What: Attack Threat
> When/Where: Vulnerable points Vulnerability
Risk – The impact on the customer base AND stability of the grid
16 © Leidos. All rights reserved. leidos.com/infrastructure
Risk = Impact (Asset Valuation) x Threat x Vulnerability
17 © Leidos. All rights reserved. leidos.com/infrastructure
Risk = Impact (Asset Valuation) x Threat x Vulnerability
18 © Leidos. All rights reserved. leidos.com/infrastructure
Risk = Impact (Asset Valuation) x Threat x Vulnerability
18
19 © Leidos. All rights reserved. leidos.com/infrastructure
Risk Assessment/Analysis
Risk Level Low Medium High
Risk Factors Total 1 to 60 61 to 175 > 176 Risk Assessment
Risk Rating
Asset/Component
Threat Vectors
Ballistic
Attack VBIED IED
Intrusion
by
Person(s
)
Intrusion
by
Vehicle
Insider
Threat
Substation
Transformer 567 432 315 432 288 432
Transformer Bank 567 432 315 432 288 432
Control House 504 384 280 384 256 384
Circuit Breakers 294 180 144 180 126 210
Substation Service
Unit
140 48 48 72 48 120
Substation
Infrastructure
48 48 48 24 24 24
Tie-Line 48 48 36 24 24 24
Transmission Lines
& Towers
36 36 27 18 18 18
Risk Level Low Medium High
Risk Factors Total 1 to 60 61 to 175 > 176
Risk Rating Legend
Risk Rating (r) = Asset Value (av) x Threat (t) x Vulnerability
(v)
21 © Leidos. All rights reserved. leidos.com/infrastructure
R5 Physical Security Plan Elements
Provides…
> Measures for detection, delay, deterrence, and defense
> Procedures for assessment, communication, and response
> Guidance on:
> Process – plans, measures, and procedures
> People – operations
> Facilities – material and hardening measures
> Technology – security systems and applications
> Tool for operational and response personnel
> Living document to assess, update, and implement
> Most importantly, helps meet or exceed NERC CIP-014 requirements
22 © Leidos. All rights reserved. leidos.com/infrastructure
Using R5 Fundamentals to Achieve NERC CIP Goals
People
Processes
Facilities
Technology
CIP 014 Key Elements Security Plan Cornerstones
> What are your resiliency and
security measures?
> Who are your law enforcement
contacts?
> What is your implementation
timeline?
> What is your evolving threat
analysis?
24 © Leidos. All rights reserved. leidos.com/infrastructure
> Response metrics
> Training
> Joint training
> Tabletop exercises
> Staff levels
> Coordination between
operations
> Law enforcement
relationship
> Regulators/PUC/FERC
PUC – Public Utility Commission; FERC – Federal Energy Regulatory Commission
25 © Leidos. All rights reserved. leidos.com/infrastructure
> Response/event
management
> Change/configuration
management
> Metrics
> After-action
> Lifecycle evolution
> Future threat adaptation
26 © Leidos. All rights reserved. leidos.com/infrastructure
> Deter, detect, deny, delay,
and defend
> Walls and barriers
> Surveillance/detection
> Response/guards/law
enforcement
> Countermeasures/resiliency
> Site reality
27 © Leidos. All rights reserved. leidos.com/infrastructure
> Transformer shrouding
> ACS/VMS/Network
> PSIM/SIEM/Cyber
> Open source intel
> Data analytics
> IT/OT convergence
Utility Horizons: IT/OT Integration and the Effect on
Utility Security
http://www.nxtbook.com/nxtbooks/utilityhorizons/2014q3
/#/10
PSIM – Physical Security Information Management; SIEM – Security Information Event Management;
ACS = Access Control System; VMS – Video Monitoring System; IT/OT – information technology/operation technology
28 © Leidos. All rights reserved. leidos.com/infrastructure
High-Level Overview of Physical Security Implementation Plan
> Metrics-based approach
> Continuous feedback loop
29 © Leidos. All rights reserved. leidos.com/infrastructure
The Classic Problem: The Standoff Between Silos
Image from “The Office”
© NBC
30 © Leidos. All rights reserved. leidos.com/infrastructure
Avoiding Operational Silos
Engineering
Standards
Contingencies
Resiliency
OT/Operations
SCADA
C2
Field Systems
O&M
IT/Cyber
Network
Cyber
Telecom
Enterprise
Security
Hardening
Access
Response
OT – Operations Technology IT – Information Technology; C2 – Command & Control; O&M – Operations & Maintenance
31 © Leidos. All rights reserved. leidos.com/infrastructure
Ensuring Effectiveness
> Training
> Tabletop exercises
> Full-scale field exercises
> Scorecard metrics and feedback
> Lifecycle/tech refresh
> Awareness of evolving threats
32 © Leidos. All rights reserved. leidos.com/infrastructure
Tying it All Together
Threats and
Vulnerability
First Responder
Coordination Resource
Constraints
Training
Policies,
Processes and
Procedures
Cyber/Physical
Convergence
Engineering
Security
Plan
34 © Leidos. All rights reserved. leidos.com/infrastructure
Reconfiguration Complements CIP 014
Reconfiguration via ties, bus realignment, and other up-front
engineering can reduce the criticality of individual substation sites or
other facilities.
Case Study #1 > Option 1: Cost to bring a substation into CIP 014 compliance
estimated at $3-4 million
> Option 2: Cost to install additional transmission line to reduce the
station criticality estimated at $2 million
> Result: $1-2 million saved, substation criticality reduced
Case Study #2 > Utility moves away from larger substation to smaller, geographically
distributed substations
> Result: Size and criticality of substation reduced
35 © Leidos. All rights reserved. leidos.com/infrastructure
Substation Physical Security: Hardening Protection and Delay Measures
Protection – Walls, Fences,
and Screens
> Transformers, Circuit Breakers and
Control House
> Ballistic proof/blast resistant engineered
wall systems
> Ballistic resistant fences and panels
> Opaque screens
Delay – Walls and Fences
> Perimeter
> Anti-climb/anti-cut, ballistic resistant fences
> High-security fences or walls with razor wire
> Landscaping and vegetation
36 © Leidos. All rights reserved. leidos.com/infrastructure
Improving Security and Resiliency with Synchrophasors
Causes Instability
37 © Leidos. All rights reserved. leidos.com/infrastructure
Key Governmental Facility Protection
Appropriate Distributed Energy Resources (DERs) may reduce impacts
to critical governmental facilities
Image courtesy of Green Energy Corporation
38 © Leidos. All rights reserved. leidos.com/infrastructure
Taking Advantage of Big Data
Problem
> Wealth of available information –
how do you digest it all and
leverage it for utility security?
Opportunity
> Tremendous amount of data
through AMI, PIDS, SCADA,
network monitoring, cybersecurity,
OMS, DMS, DMR, ACS, and
synchrophasors
Solution
> Use your existing data
infrastructure to enrich your
security posture
Real-Time
Big Data Public/Private Cloud
Data Models
Enrichments
Data Sinks Parsers
Transports
AMI – Advanced Meter Initiative; PIDS – Perimeter Intrusion Detection System; SCADA – Supervisory Control And Data Acquisition; OMS – Outage
Management System; DMS – Demand Management System; DMR – Demand Management Response; ACS – access control system
39 © Leidos. All rights reserved. leidos.com/infrastructure
Identify Opportunities for Incremental Value-Add
Develop ‘If-And-Then’ Use Cases
Goal: Minimize operational impact
> If Operations detects a transformer
temp anomaly, and
> IT/Cyber detects a network outage,
then:
> PhySec deploys guard or police for
site protection, and:
> Operations deploys maintenance
crew
40 © Leidos. All rights reserved. leidos.com/infrastructure
Open Source Intelligence (OSINT)
Image Courtesy of Intel Corporation ©2014
42 © Leidos. All rights reserved. leidos.com/infrastructure
Company Source Intelligence
Why?
> Firm up insider threat issues
> 70 percent of threats come
from inside an organization
> Employee information
> Records
> Performance improvement
plans
> Roles/responsibilities
> Keystrokes
44 © Leidos. All rights reserved. leidos.com/infrastructure
Opening Thoughts on Cybersecurity
> While CIP 014 is focused on physical
security, a full-spectrum security plan must
consider cybersecurity
> Exclusion of cybersecurity exposes significant
security vulnerabilities
> A few observations from our industry
experience
> Attackers prefer working lower-tech attack methods
(easier)
> Attacks are tailored to defeat the countermeasure
(focus)
> As defenses improve, attacks will escalate to breach
them, then step back down (hacker’s “stress tests”)
> As defenses improve in one area, attackers move to
other areas that are weaker (effort to worth ratio…
it is more effective to attack weak areas)
45 © Leidos. All rights reserved. leidos.com/infrastructure
Cybersecurity Threat Summary
> Who and Why
> Hackers Malicious intent, “Just because I can”
> Hacktivists Political or social motivation. Embarrassment/revenge
of the attacked entity
> Criminal Enterprise Goal to profit monetarily
> Advanced Persistent Threat (campaign) Degrade U.S. National
security or economics
46 © Leidos. All rights reserved. leidos.com/infrastructure
Attack Vectors and Countermeasure Considerations
47 © Leidos. All rights reserved. leidos.com/infrastructure
Comprehensive Cybersecurity Plan
> Establish a policy to govern cybersecurity (CIP 003-R1)
> Establish someone with responsibility for management of
cybersecurity activities (CIP 003-R2)
> Establish a set of best practice guidelines to follow
(CIP 007)
> Establish systems and network security (CIP 002-R3
and 003-R6) > Develop an asset management plan
> Develop an configuration management plan
> Establish a risk management practice (CIP 003-R3)
> Establish patch and vulnerability management
(CIP 007-R3 and R8)
> Establish an incident response capability (CIP 008)
> Establish a contingency plan capability (CIP 009)
CIP = Critical Infrastructure Protection
49 © Leidos. All rights reserved. leidos.com/infrastructure
Threat Briefing: Threats Constantly Evolving
> 1981: Kevin Mitnick cracks
PacBell and steals passwords
> 1986: Pakistani Brain virus
(first malicious virus)
> 1988: Morris Worm released
(first Internet worm)
> 1991: Michelangelo virus
> 1995: Web site defacements
> 1999: Melissa worm
> 2000: Distributed denial of service
(DDoS) attacks
> 2005: Microsoft Office® exploits
> 2006: SCADA exploit tool
> 2007: Estonia cyber riots
> 2007: Pentagon computer system
attacked
> 2008: Georgia cyber riots
> 2009: Downandup virus infected over
10 million systems
> 2010: First known cyber warhead
discovered – Stuxnet worm
> 2011: Duqu discovered (Stuxnet
variant)
> 2014: South Korean nuclear facility
design and workers targeted
SCADA = supervisory control and data acquisition
Microsoft Office is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
50 © Leidos. All rights reserved. leidos.com/infrastructure
Threat Briefing: Critical Infrastructure Targeted
> 1998: Telephone switch hack closes an
airport
> 2000: Gazprom central control is hacked
> 2000: Australian hacker causes
environmental harm by releasing sewage
> 2001: Hackers protesting U.S./China conflict
enter U.S. electric power systems
> 2003: Power outages in northeastern United
States occur
> 2003: Worm shuts systems down at Davis-
Besse nuclear plant
> 2006: Zotob virus shuts down Holden car
manufacturing plant (Australia)
> 2007: Aurora demonstration shows damage a
remote hacker can cause physical harm to a
generator
> 2008: Intruder installed malware causing
damage to Sacramento River diverter
> 2008: Turkish pipeline hack and explosion
> 2010: Stuxnet discovered
> 2012: Saudi Aramco targeted by Shamoon
virus wiping out 30,000 hard drives
> 2013: Hacker group “Anonymous” declares
war on U.S. Government
> 2013: Large amount of watering hole attacks
linked to Chinese Government
> 2013: More than 50 percent of reported
ICS-CERT attacks are in energy sector
> 2014: German steel mill furnace damaged
> 2014: Havex and BlackEnergy target control
systems
> 2015: Ukraine electric grid
ICS-CERT = Industrial Control Systems Cyber Emergency Response Team
51 © Leidos. All rights reserved. leidos.com/infrastructure
Threat Briefing: Cascading Failure Modes
> Cascading failure modes
> We have limited information of the
failure modes of many new and
critical devices on the distribution
and transmission side
> Can sensor feeds, at a high enough
volume, overwhelm a system?
> Will automation and safety protocols
lead to unintended consequences
such as the Yuma, Arizona,
incident?
> Protection devices seek to prevent
further damage but cause more
> Automated controls often need
human sanity checks
52 © Leidos. All rights reserved. leidos.com/infrastructure
Threat Briefing: Market Manipulation
> April 23, 2012; 1300 EDT
"Breaking: Two Explosions in the White
House and Barack Obama is injured.“
– Associated Press Twitter Feed
> Dow Jones dropped ~150 points in 5 minutes
> Market recovered when hack of feed
announced
> Phishing attack preceded false tweet
> Market manipulation
> With distributed energy resources come
exchanges to buy and sell energy
> Markets can be manipulated by obtaining
generation capabilities and demand data
before it is available to the general market
> Data can be manipulated to influence markets
53 © Leidos. All rights reserved. leidos.com/infrastructure
Stuxnet – What Was It?
> Stuxnet is the first publicly known cyber weapon
> Discovered in June 2010
> Months of reverse engineering to understand it
> Best forensic cyber engineers involved
> Discovering new aspects years later
> Nothing ordinary about this cyber weapon
> 20 times larger than most malware
> FOUR zero-day vulnerabilities
> Worm designation
> Disguised itself through a “rootkit”
> Intercepts security queries and returns false negatives – all is good
54 © Leidos. All rights reserved. leidos.com/infrastructure
Stuxnet – What Was It?
> Targeted Siemens industrial control systems
> Overrode SCADA protocols
> Bushehr nuclear plant
> Natanz nuclear fuel enrichment plant
> Near 60 percent of all infections were in Iran
> Initial infection vector
> USB drive
> Subsequent infections
> Local network print spoolers
> Passage of infected USB drives
SCADA = supervisory control and data acquisition
55 © Leidos. All rights reserved. leidos.com/infrastructure
Ukraine Electric Grid Attack
> Phishing attack able to obtain user
credentials
> Used credentials to gain access to
corporate and control network
through VPN using single factor
authentication
> Obtained access to HMIs associated
with the Energy Management
System and began tripping breakers
causing an outage in three different
service areas affecting 225,000
people lasting about four hours
> Launched destructive malware that
deleted data and made systems
inoperable
> Launched denial of service attacks
on call center VPN = Virtual Private Network
HMI = Human Machine Interface
56 © Leidos. All rights reserved. leidos.com/infrastructure
So, Where is the Electrical Grid Vulnerable?
57 © Leidos. All rights reserved. leidos.com/infrastructure
Generation
> Typically isolated from most
communication networks
> Varies from nuclear, with extensive
physical security, to smaller coal and
diesel, with little to no physical
security
> Within the plants, conditions vary
widely, with cybersecurity generally
a low priority
58 © Leidos. All rights reserved. leidos.com/infrastructure
Transmission
> Critical to balancing grid electricity flow
> Most regulated portion from
cybersecurity perspective
> Very time-sensitive communications
> Control centers play a key role
59 © Leidos. All rights reserved. leidos.com/infrastructure
Substations and Distribution
> Substations serve as key junction points
> Physical security crucial (for example,
Metcalf substation attack)
> Growth of substation automation poses
risks
> Loss of control
> Loss of view
> Automation and control being pushed
further down distribution line
60 © Leidos. All rights reserved. leidos.com/infrastructure
Distributed Generation: Cybersecurity Threats and Vulnerabilities
> Depends on a sophisticated
communications infrastructure to be
always available
> Needs instantaneous information on status of
generation resource, particularly wind and
solar
> Often widely dispersed from control centers
and vulnerable to cable cuts and radio
frequency interference
> May leverage public networks that are more
vulnerable to infiltration or bandwidth
limitations
61 © Leidos. All rights reserved. leidos.com/infrastructure
Plug-in Vehicles: Vehicle to Grid
> Cybersecurity challenges
> Similar to “do-it-yourself generation,”
people can send false information to
manipulate how much a utility thinks
it is paying for
> Someone else’s vehicle identifier
could be stolen or hacker could
manipulate whose power is used
> Potential for privacy issues
> Potential for malfunctioning vehicles
to disrupt grid
> Need a mini balancing authority for
vehicles and a reliable system for
detecting abuse
62 © Leidos. All rights reserved. leidos.com/infrastructure
Cyber Threats Vulnerability Assessment Philosophy
Risk Inability to Control Load Inability to Manage Energy Intruders on the Network
Impacts Blackout Loss of Control Network Compromise
Vulnerabilities Weak Encryption Physically Available Lack of Authentication
Threats Hacker Terrorist Industrial Espionage Insiders
63 © Leidos. All rights reserved. leidos.com/infrastructure
Managing Risk to Distribution
1. Determine your threats and their
motivations
> What are the threats to your
organization?
> By knowing what the threats are, you
will be able to prioritize the remediation
of the most important vulnerabilities.
2. Understand where your gaps are in
security conformance > What are the weaknesses in your smart
grid architecture?
> By knowing which vulnerabilities exist,
you will know where your threats are likely
to strike, giving you the ability to apply
additional security controls to reduce the
probability of occurrence where
vulnerabilities cannot be mitigated.
3. Determine your organization’s
tolerance for impact
> What does your organization want you
to prevent from happening?
> Provide your senior management with
a list of things that could occur and
determine where their tolerances lie.
4. Document and manage the risks
> Manage risk by deploying controls to
mitigate the impacts and probabilities
of threat sources.
65 © Leidos. All rights reserved. leidos.com/infrastructure
Cybersecurity is Becoming a Board-level Issue
Reuters, October 13, 2011
National Association of Corporate Directors
66 © Leidos. All rights reserved. leidos.com/infrastructure
Turning Cybersecurity Risk Into a Business Risk
> Nuisance example: isolated malware infections
> Typically occur at rate of 6 percent of computers per year
> One oil company estimated cost at $4,000 per machine (including productivity losses)
> Slightly less of a nuisance: customer data breach losses
> Ponemon Institute estimated at $194 per record (most of cost is future lost business)
> TJX® saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems
had 130 million credit card numbers breached in 2009
> For most customer data breaches, however, the relevant costs are minor as harms are hard to prove
and the reputational damage is short-lived
> For utilities, greatest threats through cybersecurity attack are on ability to operate
> Maintaining stability of transmission and distribution grids (preventing widespread outages)
> Keeping hard-to-replace equipment from being damaged or destroyed (Aurora)
> Protecting human lives (fires, electrocutions, explosions, radiation)
> Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access
to bank accounts to pay suppliers)
> Ability to generate and coordinate (independent system operator functions, automated generation
control)
TJX is a registered trademark of The TJX Companies, Inc. in
the U.S. and/or other countries.
67 © Leidos. All rights reserved. leidos.com/infrastructure
Governance Model
> Who does cybersecurity organization report to?
> In many cases, it is the chief information officer
> Can reporting reach executive- and board-level stakeholders?
> Do policies regularly get the backing of the chief executive officer?
> Budget
> Is the cybersecurity budget tied to major initiatives (transmission expansion,
safety initiatives, new substations)?
> Is there a relationship between cybersecurity risk and other major risks?
> As new meters, sensors, and relays are added, is cybersecurity risk adjusted along
with its budget?
> Are improvements in grid reliability correlated with improvement in cybersecurity?
> Are cybersecurity budget line items evaluated for how they help reduce
major business risks or even other operational risks?
68 © Leidos. All rights reserved. leidos.com/infrastructure
Moving From a Tactical to Risk Management Mindset
> What gets reported?
> Malware infections vs. business disruptions
> Data breaches/lost laptops vs. value at risk
> Attacks blocked vs. threats averted
> How are resources allocated for cybersecurity?
Tactical
› Firewall management
› Log management
› Authentication
› Endpoint security
› Server security
Risk Management
› T&D grid stability
› Customer data protection
› Energy trading integrity
› Key asset protection
› Health and safety
T&D – Transmission & Distribution
69 © Leidos. All rights reserved. leidos.com/infrastructure
Where to Start
How can you tell how good of a job you are doing? > Mapping to business risks helps to speak to the board, but day-to-day challenges still require a
comprehensive approach
> Frameworks can help if used in the context of business risk
> NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443*
Need maturity models and means of comparison with peers
Electricity
Subsector
Cybersecurity
Capability
Maturity Model U.S. Department of
Energy
Maturity Indicator
Levels (MIL):
MIL1: Initiated
MIL2: Performed
MIL3: Managed
NERC CIP = North American Electric Reliability Corporation Critical Infrastructure Protection
NIST - National Institute of Standards and Technology; ISO - International Organization for Standardization
IEC - International Electrotechnical Commission
70 © Leidos. All rights reserved. leidos.com/infrastructure
Inside the Circle: Money spent
on internal staff
Outside the Circle: Money spent
on product and services vendors
Governance
and Oversight
Strategy and Risk
Management • Assessing and reporting
• Mapping security controls
to acceptable risk posture
• Making sure cybersecurity
risks are associated with
business risks
Security Operations Monitoring systems and
networks for attacks
Continuously monitoring for
vulnerabilities and policy
violations
Aggressively seeking out
threat intelligence
Responding to incidents and
assisting with the recovery
Security Engineering Researching new protection
techniques
Designing, deploying, and
supporting new security tools
and technologies
Aligning security tools,
techniques, and technologies
with organization’s culture
and business drivers
Program
Development
Policy/Plan
Development
Security
Product
Professional
Services
Security
Integration
and Design
Services
Security
Products
Compliance /
Risk
Assessments
Security
Product
Testing
Pen
Testing
Managed
Security
Services
Incident
Response
Only 26 percent
said they have
sufficient
expertise on staff
PwC
Putting It All Together
71 © Leidos. All rights reserved. leidos.com/infrastructure
Budgets: How Much Security Is Enough?
> The industry norms
> Cybersecurity budgets in all industries tend to range from three percent to 10 percent of
information technology budget
> For utilities, that number is closer to three percent to five percent
> IT budgets vary considerably by industry, given different ways revenue is generated
> For many, two percent to five percent of revenue is typical for an IT budget
> For energy companies, operations technology (such as control systems) may be
additional
> Criteria for additional expenditures
> Regulatory compliance (as much as 50 percent of security budget)
> Requirements to meet business continuity objectives
> Desire to meet industry best practices (such as encryption of all removable storage)
> Changing threat landscape
> Easily exploitable vulnerabilities
> Achieving acceptable risk posture (most subjective and hardest to substantiate)
IT – Information Technology
72 © Leidos. All rights reserved. leidos.com/infrastructure
The “Security” Big Picture
Threats and
Vulnerability
First Responder
Coordination Resource
Constraints
Training
Policies,
Processes and
Procedures
Cyber/Physical
Convergence
Engineering
Security
Plan
73 © Leidos. All rights reserved. leidos.com/infrastructure
Additional Information
Steve Schneider, P.E. CHIEF SOLUTIONS ARCHITECT, ENERGY SOLUTIONS
571-526-6700 – office
443-655-5971 – cell
Gib Sorebo CHIEF CYBERSECURITY STRATEGIST
703-676-0269 – office
703-400-2082 – cell
For a copy of today’s presentation send an e-mail to:
Visit us at leidos.com/utility-security