Cyber Security and Other Realities of Our Digital WorldAndy DicksonIT Director – Nuclear Fleet Operations
What Changes Are We Facing?
Cyber Security Regulation and Threats
Changing IT Landscape and Expectations
Changing Industry
3
Exelon Overview
Generation Retail & Wholesale
Exelon
Power Generation Constellation ComEd, PECO & BGE
Competitive Business Regulated Business
Exelon is the largest competitive integrated energy company in the U.S.
• Largest merchant fleet in the nation (~35 GW of capacity), with unparalleled upside
• One of the largest and best managed nuclear fleets in the world (~19 GW)
• Significant gas generation capacity (~10 GW)
• Renewable portfolio (~1 GW), mostly contracted
• Leading competitive energy provider in the U.S.
• Customer-facing business, with ~1.1 M competitive customers and large wholesale business
• Top-notch portfolio and risk management capabilities
• Extensive suite of products including Load Response, RECs, Distributed Solar
• One of the largest electric and gas distribution companies in the nation ~6.6 M customers
• Diversified across three utility jurisdictions – Illinois, Maryland and Pennsylvania
• Significant investments in Smart Grid technologies
• Transmission infrastructure improvement at utilities
Exelon Generation Exelon Utilities
Exelon Nuclear and My IT World
10 Nuclear Sites17 Reactors (12 BWRs, 5 PWRs)3 EOFs2 Corporate Campuses9 EP offsite staging facilities21 Scientech R*Time PPCs6 Legacy PPCs
10000 PCs300 Business Servers180 Real Time Servers25 Firewalls40 Routers500 Switches/Routers40 Data Diode Pairs
By the Numbers…
Is the glass half empty or half full?
Challenges AND
Opportunities!
What Changes Are We Facing?
Cyber Security Regulation and Threats
Changing IT Landscape and Expectations
Changing Industry
Current Activity and Threats
Question: What is the average time to infection of an unprotected Windows PC connected to the internet?Answer: 20 Minutes (SANS Internet Storm Center)
Question: How many pieces of New Malware are created every day?Answer: >1 Million (Symantec)
Most targeted critical infrastructure sectors
Source: ICS-CERT
Incidents October 2012 to May 2013
You Are HERE
Brief History of Nuclear Cyber Security (10CFR73.54)
2005-07
•NEI 04-04, “Cyber Security Program for Power Reactors”, NEI -NERC MOA on CIP •Cyber Attack Added to Design Basis Threat
2005-07
•NEI 04-04 Implemented and New NRC Cyber Rule Issued – “SSEP Systems”•2009 NRC Decides Program Must be DETERMINISTIC•NRC Endorses NEI 08-09, Cyber Plan Template – Standard for the Industry
2011-12
•NRC Approves Cyber Security Plans•NRC Approved Interim Milestone Approach (1-7) Implemented Across Industry
2013•NRC Interim Inspections Begin
2014 – 16•Program Fully Implemented
Data CentersProtected by Firewalls
Site Business LAN protected by Firewalls
Control and Data Acquisition Systems protected by Data Diodes
Nuclear Plant Cyber SecurityNuclear Plant Cyber Security
Nuclear Industry Has Isolated all Plant Control and Data Acquisition System by One-Way Deterministic Devices (Milestone 3)
This Leaves…
• Thank You Stuxnet• Scanning• Control• Sanitization• Security/Employee
Awareness• (Milestone 4)
With Data Diodes in Place, Focus Shifts Swift Quickly to Portable Media
Current State
• 137 Controls, broken into 698 Sub-Controls Must Be Assessed for EACH Critical Digital Asset – Do the Math!
• 14 of the 22 Scheduled NRC Interim Milestone Inspections have been conducted
• Inspection Team’s interpretation of Milestones 1-7 differs from the industries
• Current Deterministic Approach Treats EP Assets in the EOF the Same as Target Set
• Indications from NRC that they would consider moving to a “Consequence-based” Approach – Industry must Seize the Opportunity
• Program can Conflict with Technology Improvements like Wireless Monitoring - Cost/Controls
Example of Evolution in Interpretations
Issue Original Approach Current Approach
AntivirusScanning Kiosks for Removable Media
LeverageEnterprise Antivirus (AV) Solution
Use Hardened, Multi –AV, Network-DetachedSolution
Digital Test Equipment
Scan if Able Must be scanned, hardened, and controlled
EngineeringConfiguration Control
For Plant Systems For Plant Systems and EP Facilities
EP Assets (Business LAN)
Take Credit for Existing Enterprise Cyber Controls
Need to Isolate and Provide Separate Controls
Cyber Security
Challenges• Threats are Real• Nuclear Industry Cannot Tolerate Even Perception
of a Breach• Current Regulatory Interpretations and Lack of
Graded Approach Stand to Drive Significant Up Front and Ongoing Costs and Complexity
Opportunities• Data Diodes and Removable Media Practices
Have Fortified our Plants Significantly• Program has Driven Better Documentation,
control, and Disaster Recovery for Important Systems
• NRC Listening to Industry on Graded Approach
What Changes Are We Facing?
Cyber Security Regulation and Threats
Changing IT Landscape and Expectations
Changing Industry
Changing Technology Landscape ORWhat’s going on beyond the Data Diode?
Source: Intel Inside Scoop 3/13/2012
17
Today’s Challenges...the explosion of Digital Technologies has significantly increased requirements to improve efficiencies
Enabling Operational Efficiencies & Emerging Technologies Overview
Social Media
Source: Forbes Website
NEI.org Post-Fukushima Page View
Source: NEI
Cloud Computing
• Security a barrier to adoption• Beware of 10CFR810 for Nuclear• Pay attention to new demands on Internet pipe
Gartner predicts that by 2015, 35% of Enterprise IT Expenditures for most organizations will be managed outside of IT Departmental Budgets.
Source: NIST Cloud Model
BYOD Rationale: Consumerization & Anytime Access Trends
7.5B Smartphones by 2015 from 4.6B in 20112
149M Tablets by 2015 from 17M in 20103
250-300M M2M Connections by 2015 from 80M in 20104
2 Ovum, 2010 3 Current Analysis, 2011 4 Current Analysis, 2011
Diversification and Proliferation
998.1M Mobile Cloud App Subscribers in 2014 from 42.8M in 20088
788M Mobile-Only Internet Users by 20159
8ABI Research, 2009 9ARS Technica, 2011
Acceleration andIntegration
Virtualization and Ubiquity
Device Adoption
AcceleratingUsage
Ubiquitous Access
Consumer Behavior
IT Consumerization
Next Generation Employees want to work with technology and functionalitythat they can readily get in the marketplace
Rise of Mobile “Elite” workers Mobility and flexibility are the focus of consumer technology
40% of devices being used for business purposes are personally owned. 10% increase between 2010-20111
1 IDC, 2011
76.9B Mobile Apps downloaded in 2014 from 10.9B in 20105
155M Mobile Video Users by 2015 from 3.4M in 20106
Over 100M views a day via YouTube mobile in 20117
5IDC, 2010 6In-Stat, 2010 7YouTube, 2011
BYOD Rationale: Benefits To Employees & Exelon
Effective Controls & Management Oversight
Consistent BYOD policy and approach to determining employee stipend amounts
Automated portal for onboarding employees Accurate tracking & reporting for management
One Culture
Consolidate multiple programs with different policies Enable ease of use and self service Encourage collaboration and advancement of an culture
Employee Satisfaction
Single device to carry Employees empowered to choose device and plans Increased mobility
Workforce Productivity
Increased remote workforce productivity with any time, any where, any device access
Improved cycle time for approval tasks & issue resolution Improved communications and business efficiency
Changing IT Landscape
Challenges• Social Media is Here – Control Your Message or
Someone Else Will • Cloud-sourcing – present Technical And Nuclear-
Specific Challenges• BYOD is Happening Today - Must Deal with It
Opportunities• Embrace Social Media to Get You Message Out
Directly to Customer and with Great Speed• Leverage “Cloud” as A Part of your IT Strategy to
Speed Deployments, Reduce Internal Complexity and Provide Anytime-Anywhere Access where the Fit is Right
• Seize the Advantages of BYOD
What Changes Are We Facing?
Cyber Security Regulation and Threats
Changing IT Landscape and Expectations
Changing Industry
What’s Going on in our industry• Shale Gas Disruption• Nuclear Plant Closings
• Keewaunee - Wisconsin• Crystal River - Florida• SONGS – California
• Post-Fukushima Mitigations• Changing Workforce Demographics
What’s Going on in our industry
• New Nuclear Construction• Southern Company Vogtle 3 &4• SCANA/SCE&G Summer 2&3• TVA Watts Bar 2
Source: SCANA Corporation “INSIGHTS” Spring 2013
Changing Industry
Opportunities• Leverage Emerging Technology to:− Automate and Improve Ineffective Processes− Develop Optimal Solutions to Address Regulations − Facilitate Knowledge Transfer and Retentions− Attract Best Talent
• Promote Benefits of New Nuclear Technology
Challenges• Gas Prices will Continue To Challenge the
Economics of US Nuclear Fleet and Lead to Potential Additional Plant Closings
• Regulations like for Fukushima and Cyber Security will Apply Additional Financial Challenges
• Retaining Critical Knowledge and Skills as the Work Force Changes – Particularly for Legacy Systems
Closing
So, Is the Glass Half Empty or Half Full?
• Technology Creates Both the Challenge and the Opportunity
• We Can Embrace Change, Seize Opportunities or Be Overwhelmed by the Challenges
• Its Up to Us!