1. EnergySec & National Electric Cyber Security Organization (NESCO)Overview2012 Technologies for Security and Compliance Summit The Anfield Group August 1-2 2012Barton Creek Resort Austin, TX

2. New, New Security Model Nation State quality adversaries Fear the auditor more than attacker Regulatory avalanche forecast Constant compromise Ecosystem of organizations Information sharing is holy grail The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 2 3. Info-Share to the Rescue! What does Information Sharingreally mean? Taking vs. Sharing Secrecy for secrecys sake Government doesnt share well(yet) Very useful approach, but not apanacea Comes with trade-offsThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 3 4. Information Sharing Reality Some ProsSome Cons What works, what Classification and doesnt handling, both Gov Benchmarkingand Corporations Situational Lawyers, awareness agreements and Tactical threat and contracts vulnerability analysis Community-sourcing Consumers will always outnumber Regulatorysharers compliance Mentoring Trust; n parties9/1/2012 Doesnt scale wellThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy 4 5. Who is EnergySec? Unique, non-profit, independent, public- private information sharing organization Borne from Energy Sector Bottom-up vs. top-down TRUSTED By the industry, for the industry Non-profit 501(c)(3) Independent, private 10+ years of information sharing experience9/1/2012The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 5 6. EnergySec Background 10.2001: Precursor to E-Sec NW formed 7.2004: E-Sec NW formalized and founded Asset owner/operator ONLY; all volunteer 1.2008: SANS Information Sharing Award 12.2008: Incorporated E-Sec NW as EnergySec 10.2009: 501(c)(3) nonprofit determination 4.2010: EnergySec applied for NESCO DOE FOA 7.2010: EnergySec awarded NESCO FOA 10.2010: NESCO became operationalThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy.6 7. What EnergySec Is NOT Not a lobbyist Not a vendor Not a consultant Not government agency Not a regulatorThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 7 8. EnergySec Staff Extensive applied sector experience Many years employment at asset owners Operations, security, audit, Sr mgmt, OT, IT Regional Entity leadership Independent consulting; big firms and boutiques Built several successful companies EnergySec founders, Info-sharing pioneers Certified, trusted, highly connected, dedicated The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy.8 9. EnergySec Programs NESCO: Information Sharing &Best Practices Advisory Service EnergySec University Education/Workforce Development LIGHTS: Security in a box(turnkey) Independent board Partnership with ICS-ISAC The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 9 10. EnergySec NonprofitUmbrellaEnergySec NESCOAdvisoryUniversityOther The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy10 11. EnergySec Advisory Customized agenda; facilitated discussion Examine current and horizon energy sector specific cyber security legislation Explore methods to meet compliance obligations and enhance security posture Present threat, vulnerability and impact landscape to executives and staff Highest concentration of advisors with unique and hard-to-nd combination of experience The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 11 12. EnergySec University Professional/workforce development path Internal expertise as instructors Open faculty roster from best and brightest Courses in all IT/OT security-related disciplines Internship matchmaking coming soon Working closely with National Board of Information Security Examiners (NBISE) The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 12 13. What Is NESCO? R. 3183 ...the Secretary shall establish an independent national energy sector cyber security organization... Department Of Energy issued FOA on March 31, 2010 Purpose is to establish a National Electric Sector Cyber Security Organization that has the knowledge, capabilities, and experience to protect the electric grid and enhance integration of smart grid technologies that are adequately protected against cyber attacks. This organization will serve as a focal point to bring together domestic and international experts, developers, and users who will assess and test the security of novel technology, architectures, and applications.9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 13 14. NESCO Objectives Organize, lead and implement a public-private partnership Focus cybersecurity research and development priorities Identify and disseminate security best practices Organize the collection, analysis and dissemination of infrastructure vulnerabilities and threats Work cooperatively with the DOE and other Federal Agencies Enhance cybersecurity of the bulk power grid and electric infrastructure9/1/2012The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 14 15. Who Is NESCO? IOU Product Muni Service Coop Asset OwnersVendor GovtAcademia/Research Non-Reg Public Regulatory Private Fed, State The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy.15 16. Connect & SupportUtilityAsset Owners9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 16 17. Membership Growth The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 17 18. Member DemographicsMembership by Individual Membership by Organization AcademicAcademic2%5%Vendor/Other22% Vendor/Other35% Govt/Regulatory12% Asset Owner Asset Owner49% 64%Govt/Regulatory 11% 1,050 Individual members363 unique organizations Predominately Asset Owner Driven Membership BaseThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy18 19. Membership Overview NESCO Members of Sept 30 2011 (1 year) 788 NESCO members 278 unique organizations NESCO Members as of July 12 2012: 1050 individuals 363 unique organizations Note: This represents a nearly 50% annual growth rate The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 19 20. Social Media Outreach NESCO mailing list: 3536 NESCO Twitter followers: 2635 NESCO LinkedIn group members: 535 The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 20 21. Direct Outreach 3 Town Hall meetings 19 Voice of the Industry (VOI) meetings 82 TAC notices; 149 follow up threads 71 presentations/panels 94 event participation 37 blog mentions 43 interviews and article citations The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 21 22. Engage, Equip & Empower Sharing requires trust Trust is built on relationships Our approach Bringing people together Flexible technology options andsolutions to extend and enhancerelationships Organic growth; birds of a featherThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 22 23. NESCO Is Technology Secure collaboration portal Wiki Working groups Discussion forums Email distribution lists Rapid Notification System Social Media LinkedIn, Twitter, FacebookThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy.23 24. NESCO Tools Email distribution lists Secure collaboration wiki Secure instant messaging Rapid notification mechanisms Resource repository Most technologies have non- attribution (anonymous) options9/1/2012The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 24 25. NESCO Resource Repository Best/common practices Policy, process, procedure Compliance approaches Document Templates Code snippets, scripts System configurations Links to useful security sites And more9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 25 26. NESCO Tactical AnalysisCenter Supports ES-ISAC and ICS-CERT Open & private source intelligence Asset owner volunteer handler SMEs with virtual dashboards Rapid, community-sourced analysis Secure communications Rapid notification system Daily diaries, trending Quarterly & annual reports9/1/2012The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 26 27. ES-ISAC, ICS-CERT and TAC An analogy triage and long term care Basic differences of the TAC Operated by an independent non-profit org Not associated with a federal regulatory agency DOE partner is non-regulatory Funding expires in 2014, only seed money provided Funding model involves cost-share, so industry bearscost throughout entire effort Electric sector specific Provides feeds, when requested to NERC & DHS & The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 27 28. ES-ISAC, ICS-CERT and TAC Basic differences of the TAC Covers all entities, not just Registered Entities under the NERC Functional Model Not just Bulk Electric w/ CA and CCA Includes smart grid, distribution, QF generation NESCO staff work alongside industry handlers RNS has direct access to security staff Volunteer reporting structure, not mandatory Private position offers unique vendor relationships Anonymized pass through for bi-directional sharingThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 28 29. NESCO Products Whitepapers DNS Exfiltration Security Logging Best Practices and Capability Maturity Models Public Key Infrastructure, Automated Metering Infrastructure and Industrial Control Systems DOE Electric Sector Cybersecurity Capability Maturity Model (ES-C2M2) coming soon! What else would you like to see? The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy.29 30. NESCO Products Rapid Notification System Night Dragon webcast Duqu webcast Multiple TAC noticesThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 30 31. NESCO Success Stories is fantastic that [DOE produces] a document that deals with a subject so technical and that it makes available to the public. http://goo.gl/0xiWp The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 31 32. NESCO Success Stories Spearphishing notices from asset owner shared with DHS for action Result: DHS ICS-CERT advisory issued Accounts from service contractor posted to Internet reviewed for asset owner data Result: Direct contact warning to specific partiesThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy.32 33. NESCO Success Stories Exposed control systems posted on Internet matched to asset owners Result: Direct contact warning to specific parties EnergySec spearphishing attempt Result: Cross-organization comparison with general industry advisory; IOCs publishedThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 33 34. NESCO Success Stories Industry and [some] Regional Entities seeking to modify process for Technical Feasibility Exceptions to maximize security benefit Result: NESCO provided independent and impartial discussion forum, webinar and industry feedback loop for proposed change to process The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 34 35. NESCO Success Stories The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 35 36. NESCO Funding Model Department of Energy FOA Cooperative agreement Cost-share is ~40%, ramps over life of 3.5 year seed window At end of seed window, NESCO is fully funded by industry Supported by underwriters and TAC subscriptionsThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 36 37. NESCO Summary Focused on building trust through relationships to further security collaboration and sharing Flexible technology facilitates and catalyzes information/resource sharing efforts Supports existing successful programs Security voice of the electric sector9/1/2012The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 37 38. Get Connected EnergySec Summit: September 25-28 NESCO Town Hall CISO Forum Policy and Technical Tracks EnergySec University Courses NERC CIP Training: Las Vegas 10/25 NERC CIP Training: Sacramento 12/4 Cybersecurity for Operations: Nashville 11/7 NESCO Voice of the Industry (VOI) Meetings The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 38 39. Get Connected www.energysec.org www.energysec.org/join www.energysec.org/tac-subscription- service TAC@energysec.org New NESCO website soon!The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 39 40. Questions?Patrick C Miller Principal Investigator, National Electric Sector Cybersecurity Organization President & CEO, EnergySecpatrick.miller@energysec.org 503.446.1212 (desk)@patrickcmiller (twitter)www.energysec.orgThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012with funding assistance from the U.S. Department of Energy 40