critical infrastructure cybersecurity by nadya bartol
Post on 09-Dec-2016
230 Views
Preview:
TRANSCRIPT
© 2014 Utilities Telecom Council
Critical Infrastructure Cybersecurity
Nadya Bartol, CISSP, CGEIT
VP, Industry Affairs and Cybersecurity Strategist
Nadya.bartol@utc.org
© 2014 Utilities Telecom Council 2
Utilities are a target
32%
27%6%
6%
6%
5%
5%
3%2%
2% 2% 2%
1%
1%
ICS CERT Responded to the toal of245 incidents in September 2014-February 2015
Energy
Critical Manufacturing
Water
Information Technology
Transportation
Nuclear
Communications
Govenment Facilities
Commercial Facilities
Emergency Services
Financial
Healthcare
Dams
https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf
© 2014 Utilities Telecom Council 3
Verizon Breach Report is a comprehensive look at the
global state of cybersecurity
http://www.verizonenterprise.com/DBIR/2015/
© 2014 Utilities Telecom Council 4
Attackers are getting better while defenders are
running in place
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
100%
75%
50%
25%
http://www.verizonenterprise.com/DBIR/2015/
Time to compromise is in days or hours
Time to discovery is in days or hours
© 2014 Utilities Telecom Council 5
Everyone is a target, including energy companies
2010
Iran
Centrifuges
(Stuxnet)
2011
ODNI report on
foreign industrial
espionage
Mandiant
Advanced
Persistent
Threat
Report
2014
Electricity
Grids
(Havex)
2012
Saudi
Aramco
2013 2013
Target
2014
JP Morgan
Chase
2015
Cylance
Operation Cleaver
Report
2014
Anthem
Group
CareFirst
BlueCross
© 2014 Utilities Telecom Council 6
Numerous external drivers influence how utilities
approach cybersecurity
Regulatory
FERC
European Commission
State PUCs
NARUC
NRC
Governance
U.S. Executive Order 13636
European Network and
Information Security Directive
Canada Cybersecurity
Strategy
Public/Private
ISACs, ISAOs
Public-private partnerships
60+ working groups in North
America
NERC UTILITY
Standards and Guidelines
IEC
ISO
ENISA
NIST
ISA99
© 2014 Utilities Telecom Council 7
7.2 6.8 7.6
Rapid Adoption Rate of Digital Infrastructure: 5X Faster than Electricity and Telephony
50 Billion
“Smart Objects”
50
2010 2015 2020
0
40
30
20
10
BIL
LIO
NS
OF
DEV
ICES
25
12.5
Inflection Point
TIMELINE
World Population
Digital infrastructure is here to stay
Source: Cisco IBSG, 2011
The New Essential Infrastructure
Used with permission. Copyright Cisco 2015 all rights reserved
Rick Geiger, Cisco, Securing Industrial Internet of Things:
What Do Utilities Need to Know? UTC TELECOM and Technology 2015
© 2014 Utilities Telecom Council 8
Systems may evolve beyond intended use
http://www.trinitysquareflat.com/mediac/450_0/media/Tower$20of$20London$20-$20Aerial$20View.jpg
© 2014 Utilities Telecom Council 9
Where are IT, OT, and Physical Security?
One or more servers Supporting • SCADA Master Control• Synchrophasor Management• Energy Management• Demand Response• DLR Management• DA Master Control• Meter Data Management System• Physical Security Management• Push-to-Talk Switch
Meters Transmission SCADA IEDs DG, DS, EVCS IEDs DA IEDs CCTV Camera
PMUs Distribution SCADA IEDs DLR IEDs Mobile Workforce
Utility Smart Grid Network
Utility Data and Control Center
ERDCC Router
Alcatel Lucent White Paper, Estimating Smart Grid Communication Network Traffic, March 17, 2014
Physically
Secured
Physically
Exposed
© 2014 Utilities Telecom Council 10
Business value is driving IT/OT convergence
IT Engineering Operations Telecom
IT-Based Technology
Converged
Organization
Cybersecurity
• Chief Information Security Officer
• Information Security Manager
• Information Security Officer
• Director, IT Security, Risk, and
Controls
• Head of Digital Risk and Security
• Director, Information Security
© 2014 Utilities Telecom Council 11
Business value is driving IT/OT convergence
IT Engineering Operations Telecom
Converged
Organization
• Chief Information Security Officer
• Information Security Manager
• Information Security Officer
• Director, IT Security, Risk, and
Controls
• Head of Digital Risk and Security
• Director, Information Security
Rules Data IP Analytics
Review Set points IP Decisions
Cybersecurity
© 2014 Utilities Telecom Council 12
Utility systems grew organically ran by different internal
organizations
ICS System
Proprietary
Field Site 1
Field Site 3
Field Site 2
Field Site 4
WAN
Wireline
Microwave
Other RF
Internet
IT Network
IP-Based
Remote
Vendor
Access
and IP-based
Smart Grid
Network
© 2014 Utilities Telecom Council 13
Utility systems grew organically ran by different internal
organizations within a variety of physical boundaries
ICS System
Proprietary
Field Site 1
Field Site 3
Field Site 2
Field Site 4
WAN
Wireline
Microwave
Other RF
Internet
IT Network
IP-Based
Remote
Vendor
Access
and IP-based
Smart Grid
Network
© 2014 Utilities Telecom Council 14
Utilities cybersecurity needs and priorities
Legal framework for threat and vulnerability information sharing
Security-aware culture where everyone understands security risks
and behaves accordingly
Raise the bar of security practices across the industry
Productive dialog with ICT vendors about integrating security into
utility ICT products and services
Utility cybersecurity workforce that can implement reliable and
secure networks for the future
Security products designed for control systems,
by vendors that understand control systems
Harmonized standards and guidelines
Risk-based approach for communicating cybersecurity
to executives and boards
© 2014 Utilities Telecom Council 15
How UTC addresses utilities cybersecurity challenges for
the members
Technical
Assistance
Policies and
Standards
Awareness,
Training, and
Education
Educate utility
technology
practitioners on
cybersecurity
Educate
regulators and
legislators
Harmonize
standards and
guidelines
Help solve daily
cybersecurity
challenges
• Security, Risk, and Compliance Committee
• IT/OT Security Working Group
• UTC Supply Chain Risk Management Training
Engineering and Management Beginners
Learning
• Graduate Certificate in Critical Infrastructure
Cybersecurity
• Thought leadership in standards and guidelines
• UTC Practical Guides
• Advocacy with legislative and regulatory bodies
• Response to legislative and regulatory inquiries
and requests
• Cybersecurity Assessments and Roadmap
• Advisory assistance to UTC members
• Platform for peer knowledge sharing and
mentoring
Needs UTC Initiatives
top related