Post on 08-Aug-2020
transcript
2019 Deloitte Power & Utilities ConferencePower is not staticDecember 3-4, 2019
Bits, Bytes & Barrels” webinar
Cyber Risks and How Power
& Utility Companies Can
Mitigate
James Turgal, Managing Director, Deloitte & Touche LLP
Copyright © 2019 Deloitte Development LLC. All rights reserved. 3
Contents
Security threat landscape 7
• A multi-faceted business issue
Industry vulnerabilities and threat Vectors 10
What is Your Strategy 13
• What does good cyber security look like?
How do you think About Response and 15 Mitigation?
Industry Impact
Improve Resilience
Build Platforms
Amplify Brand
Derive Insights
Share Information
Embrace Innovation
Orchestrate Change
Copyright © 2019 Deloitte Development LLC. All rights reserved. 4
Cyber Risk & Response Themes
DATA
ECOSYSTEMS
ATTACK SURFACE
Copyright © 2019 Deloitte Development LLC. All rights reserved. 5
Security threat landscapeA multi-faceted national security & business issue
Copyright © 2019 Deloitte Development LLC. All rights reserved. 6
Cyber Risk & Response ThemesOverview of the threat actors, vectors, motivation and impact
Threatactors
Espionage
Financial gain
Corruption of data
Humanerror
Disruption
Making a statement
Stateactors
Hacktivists
Employees &Contractors
Cyber-criminals
Stateactors
Script kiddies
Competition
Customers
Strategic NationalSecurity
Advantage
Motivation
Copyright © 2019 Deloitte Development LLC. All rights reserved. 7
Power & Utility Industry dynamic threat landscapeOverview of the threat actors, vectors, motivation and impact
Vectors
Intellectual Property
Customer data
Services
Financialdata
Network Designdata
Operationalinfo
Reputation
Top 3 threats in TMT:• DDOS Attacks• Web App Attacks• Malware / Crimeware
Further major concerns: • Insider Threats • Data Breaches• Information Leakage• Data localization
Other global threats:• Botnets• Third party threats• Cyber Espionage• Phishing
Threats
Copyright © 2019 Deloitte Development LLC. All rights reserved. 8
Threat Actors / Capabilities in the Energy & Utility Sector
Copyright © 2019 Deloitte Development LLC. All rights reserved. 9
Industry vulnerabilities & threat vectors
Copyright © 2019 Deloitte Development LLC. All rights reserved. 10
Threat Scenario
1. Infection through Intrusion Detection System (IDS)
2. Virus/ Trojan infiltrates industrial control system
3. Social Engineering: Phishing employees on enterprise level propagates to field level manipulation
4. Malicious Update to Firmware in the Field to influence a single substation
5. Cross-sector, cross-border message flooding
6. Compromise equipment through SCADA application
7. Advanced Persistent Threat (APT) to Distribution System Operator (DSO) flexibility management system
8. Plant tripped off-line through compromised vendor remote connection equipment
9. Compromise Distribution Grid Management (DGM) through Supply Chain vulnerabilities
10. Weakened Security during weather related disaster
11. Unauthorized Mass Remote Disconnect through Firmware update
OT Focus IT Focus
100% 100%
Threat Vectors – Energy / Utility Sector and Impacts on Information & Operational Technology
Copyright © 2019 Deloitte Development LLC. All rights reserved. 11
Threat impacts
National Security Impact
Loss of Sensitive & Customer Data
Service Unavailability
Direct Financial Impact
Reputation Damage
Business Impact
Copyright © 2019 Deloitte Development LLC. All rights reserved. 12
What is your strategyWhat does good cyber security look like?
Copyright © 2019 Deloitte Development LLC. All rights reserved. 13
Deloitte’s Cyber Strategy Evolution from Secure, Vigilant and Resilient to…
Is the answer Structural or Strategy or Both?
How do you synchronize Cyber Risk across People, Process and Technology?
What are your thoughts on Digital Ecosystems and Hybrid Infrastructure and Reduction of Attack Surface Area?
Simplification:• Automated System Recovery
(ASR)• Process Simplification• Data Reduction• Access (Least Privilege)• Where is your Data? What
are your most valuable business Assets?
• What protections secure them?
Automation:• Monitoring / Testing /
Validation• Reporting / Identity / Patching
Change Management:• Culture (Mailroom to
Boardroom)• Ownership• Insiders• Training
Third Party Interaction• Re-Balancing Risk or Sharing
Risk• Managed Services – Are you
sharing the risk or Chasing the Threat?
How does your Structure or Strategy lead to Building Resilience and Guaranteeing Recovery?
Copyright © 2019 Deloitte Development LLC. All rights reserved. 14
How do you think about risk & mitigation?
Copyright © 2019 Deloitte Development LLC. All rights reserved. 15
• ICS/OT Cyber Asset Visibility and Monitoring
• ICS/OT Cyber Baseline Risk Assessments
• Incident Response (IR) and Forensics
• ICS/OT Threat Intelligence
• ICS/OT Vendor Risk Assessment
• Managed Threat Services
ICS/OT Cyber Solutions
Copyright © 2019 Deloitte Development LLC. All rights reserved. 16
Strategies to defend industrial control systemsHow does your strategy stack up?
Copyright © 2019 Deloitte Development LLC. All rights reserved. 17
Internet of Things (IOT)
Data – Ecosystems – Attack Surface
This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2019 Deloitte Development LLC. All rights reserved.