critical infrastructure
play

Critical Infrastructure The Honorable Branko Terzic Confidential. - PowerPoint PPT Presentation

TeleGroup INFOSEC Cyber Security in Energy Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate outside your organization without permission. Biography Speaker : Dr. h.c. Branko Terzic Managing Director


  1. TeleGroup INFOSEC Cyber Security in Energy Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate outside your organization without permission.

  2. Biography Speaker : Dr. h.c. Branko Terzic Managing Director Berkeley Research Group LLC and Senior Fellow, Atlantic Council Distinguished Fellow, Council on Competitiveness Former: • Commissioner, US Federal Energy Regulatory Commission • Commissioner, Wisconsin Public Service Commission • Chairman President and CEO of Yankee Energy System, Inc. B.S. Energy Engineering and Doctor of Sciences in Engineering from The University of Wisconsin – Milwaukee • Former Chair, United Nations ECE Expert Group on Cleaner Electricity Production 2

  3. Headlines • “As Cyber Threats To The Electric Grid Rise, Utilities And Regulators Seek Solutions” (Forbes, Jan 2017) • “Why utilities say grid security is the most pressing sector issue of 2017” (Utility Dive, April 2017) • “Federal assessment finds ‘gaps’ in preparation for electric grid attacks” (The Hill, May 2018) • “DOE unveils 'integrated strategy' to reduce utility cyberthreats ” May 2018 • “Senators Want Dumber Tech For Energy Grid Cybersecurity” (Next Gov, March 2018)

  4. Basic Security Concepts • Step 1: Define security policy • Step 2: Define processes • Step 3: Choose and implement technology • Sep 4: Document

  5. TECHNOLOGY CONVERGENCE CREATES THREAT EXPOSURE 5

  6. THREAT LIKELIHOOD VS. CONSEQUENCES AND LITIGATION Threats and Litigation Opportunities: • Utility Grid and Infrastructure has become more “Red” in recent years due to nation state threats • Damages include loss of life or major GDP centers (e.g., almost lost Silicon Valley power for 28 days) • Utilities need to seem proactive to contract firmly and litigate against cost over-runs or face future budget disapproval or corporate reputational risk 6

  7. U.S Department of Energy Cybersecurity Capability Model Ten Core Domains (Competencies) (1) Risk Management; (2) Asset, Change, and Configuration Management; (3) Identity and Access Management; (4) Threat and Vulnerability Management; (5) Situational Awareness; (6) Information Sharing and Communications; (7) Event and Incident Response, Continuity of Operations; (8) Supply Chain and External Dependencies Management; (9) Workforce Management; and (10) Cybersecurity Program Management

  8. Cyber Technology Limitation • Cyber security technology by itself, however, can only partially address the issue of cyber threats. • Energy utilities also need to deploy the proper organization and processes in order to supplement the impact of cyber security protection technologies.

  9. Energy Utility Operations & Security Lifecycle Establish Not an event, evolving to a way of business Governance NIST NERC Harmonize Controls Tailor Controls to Assess Existing To create determine correct Implementation Unified Control baseline NRC / N Framework Moderate of Controls EI Assessment Focus Future Focus Local DHS Plan Remediation Activities & Tools ITIL CobIT R E F E R E N C E P R O J E C T S SOX ASIS Implement Remediation ANSI/ISA Actions IEEE

  10. Energy Infrastructure Security Three Areas of Concern • Regulatory and Legal Compliance • Physical Security • Cyber Security

  11. Regulatory Compliance • In the U.S. there are FERC and NERC Critical Infrastructure Protection (CIP) program requirements. All energy companies need to have: • Assessment and implementation • Security awareness and training • Established Security policy • Periodic regulatory change reviews • Asset management security segregation

  12. Regulatory Compliance • Establish security governance protocol • Security program engagement teams • Security engineering and operations • Security project management and oversight • Chief Information Security Officer (CISO) responsibilities

  13. Regulatory Compliance • Operational Technology (OT) oversight programs • OT cyber security programs • Compliance programs for IT and OT • Insurance industry interaction and advisement

  14. Physical Security • Physical security requires a robust security environment which includes action in areas of: – threat and vulnerability assessments, policy and procedure review and development, – security audits, – security training, and – security master planning

  15. Vulnerability assessment and operations impact • Physical failure • Weather and natural disaster service denial • Local sabotage

  16. Telecommunications system protection • Key relay communication circuits to control center communications • Power line carrier • Leased communications lines • Microwave • Fiber optic • GPS signaling • Secure video

  17. Physical Security Upgrade support • Surveillance and video • Physical access control and identification technology • Integration into Security Operations Centers (SOC) • Physical security oversight of Engineering Procurement and Construction (EPC) vendors • Development of Less Than Lethal response options • Law Enforcement interaction

  18. Cyber Security • Requires strategy, planning, implementation, and ongoing support stages. • Information security continuous monitoring • Continuous diagnostic & mitigation • Privacy program • Risk management and cyber risk program

  19. Cyber Security Operations and Threat Management • Cyber security monitoring • Cyber security incident response • Threat intelligence • Risk assessments and penetration testing • Insider threat

  20. Cyber Security • Security authorizations • External/Internal communications • External/Internal cyber security engagements – UNITE (Utility Information Technology Benchmark) – SEWG (Senior Executive Working Group) – Other industry/sector engagements – Coordination with Government Agencies

  21. Sample Energy Industry Guideline Form Cyber Security Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls 1. Address each control for each CDA 2. Or, apply alternative measures 3. Or, explain why a control is N/A

  22. Cybersecurity is not an external review. Cybersecurity needs to be an integral part of the culture of the business as it is an essential part of the uninterrupted delivery of service to customers which is the business of the energy company. Branko Terzic Managing Director Berkeley Research Group LLC bterzic@thinkbrg.com Mobile (703) 919-0164 22

Recommend


More recommend