Critical Infrastructure Cybersecurity by Nadya Bartol

© 2014 Utilities Telecom Council

Critical Infrastructure Cybersecurity

Nadya Bartol, CISSP, CGEIT

VP, Industry Affairs and Cybersecurity Strategist

[email protected]

© 2014 Utilities Telecom Council 2

Utilities are a target

32%

27%6%

6%

6%

5%

5%

3%2%

2% 2% 2%

1%

1%

ICS CERT Responded to the toal of245 incidents in September 2014-February 2015

Energy

Critical Manufacturing

Water

Information Technology

Transportation

Nuclear

Communications

Govenment Facilities

Commercial Facilities

Emergency Services

Financial

Healthcare

Dams

https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf


Verizon Breach Report is a comprehensive look at the

global state of cybersecurity

http://www.verizonenterprise.com/DBIR/2015/


Attackers are getting better while defenders are

running in place

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

100%

75%

50%

25%

http://www.verizonenterprise.com/DBIR/2015/

Time to compromise is in days or hours

Time to discovery is in days or hours


Everyone is a target, including energy companies

2010

Iran

Centrifuges

(Stuxnet)

2011

ODNI report on

foreign industrial

espionage

Mandiant

Advanced

Persistent

Threat

Report

2014

Electricity

Grids

(Havex)

2012

Saudi

Aramco

2013 2013

Target

2014

JP Morgan

Chase

2015

Cylance

Operation Cleaver

Report

2014

Anthem

Group

CareFirst

BlueCross


Numerous external drivers influence how utilities

approach cybersecurity

Regulatory

FERC

European Commission

State PUCs

NARUC

NRC

Governance

U.S. Executive Order 13636

European Network and

Information Security Directive

Canada Cybersecurity

Strategy

Public/Private

ISACs, ISAOs

Public-private partnerships

60+ working groups in North

America

NERC UTILITY

Standards and Guidelines

IEC

ISO

ENISA

NIST

ISA99


7.2 6.8 7.6

Rapid Adoption Rate of Digital Infrastructure: 5X Faster than Electricity and Telephony

50 Billion

“Smart Objects”

50

2010 2015 2020

0

40

30

20

10

BIL

LIO

NS

OF

DEV

ICES

25

12.5

Inflection Point

TIMELINE

World Population

Digital infrastructure is here to stay

Source: Cisco IBSG, 2011

The New Essential Infrastructure

Used with permission. Copyright Cisco 2015 all rights reserved

Rick Geiger, Cisco, Securing Industrial Internet of Things:

What Do Utilities Need to Know? UTC TELECOM and Technology 2015


Systems may evolve beyond intended use

http://www.trinitysquareflat.com/mediac/450_0/media/Tower$20of$20London$20-$20Aerial$20View.jpg


Where are IT, OT, and Physical Security?

One or more servers Supporting • SCADA Master Control• Synchrophasor Management• Energy Management• Demand Response• DLR Management• DA Master Control• Meter Data Management System• Physical Security Management• Push-to-Talk Switch

Meters Transmission SCADA IEDs DG, DS, EVCS IEDs DA IEDs CCTV Camera

PMUs Distribution SCADA IEDs DLR IEDs Mobile Workforce

Utility Smart Grid Network

Utility Data and Control Center

ERDCC Router

Alcatel Lucent White Paper, Estimating Smart Grid Communication Network Traffic, March 17, 2014

Physically

Secured

Physically

Exposed


Business value is driving IT/OT convergence

IT Engineering Operations Telecom

IT-Based Technology

Converged

Organization

Cybersecurity

• Chief Information Security Officer

• Information Security Manager

• Information Security Officer

• Director, IT Security, Risk, and

Controls

• Head of Digital Risk and Security

• Director, Information Security


Business value is driving IT/OT convergence

IT Engineering Operations Telecom

Converged

Organization

• Chief Information Security Officer

• Information Security Manager

• Information Security Officer

• Director, IT Security, Risk, and

Controls

• Head of Digital Risk and Security

• Director, Information Security

Rules Data IP Analytics

Review Set points IP Decisions

Cybersecurity


Utility systems grew organically ran by different internal

organizations

ICS System

Proprietary

Field Site 1

Field Site 3

Field Site 2

Field Site 4

WAN

Wireline

Microwave

Other RF

Internet

IT Network

IP-Based

Remote

Vendor

Access

and IP-based

Smart Grid

Network


Utility systems grew organically ran by different internal

organizations within a variety of physical boundaries

ICS System

Proprietary

Field Site 1

Field Site 3

Field Site 2

Field Site 4

WAN

Wireline

Microwave

Other RF

Internet

IT Network

IP-Based

Remote

Vendor

Access

and IP-based

Smart Grid

Network


Utilities cybersecurity needs and priorities

Legal framework for threat and vulnerability information sharing

Security-aware culture where everyone understands security risks

and behaves accordingly

Raise the bar of security practices across the industry

Productive dialog with ICT vendors about integrating security into

utility ICT products and services

Utility cybersecurity workforce that can implement reliable and

secure networks for the future

Security products designed for control systems,

by vendors that understand control systems

Harmonized standards and guidelines

Risk-based approach for communicating cybersecurity

to executives and boards


How UTC addresses utilities cybersecurity challenges for

the members

Technical

Assistance

Policies and

Standards

Awareness,

Training, and

Education

Educate utility

technology

practitioners on

cybersecurity

Educate

regulators and

legislators

Harmonize

standards and

guidelines

Help solve daily

cybersecurity

challenges

• Security, Risk, and Compliance Committee

• IT/OT Security Working Group

• UTC Supply Chain Risk Management Training

Engineering and Management Beginners

Learning

• Graduate Certificate in Critical Infrastructure

Cybersecurity

• Thought leadership in standards and guidelines

• UTC Practical Guides

• Advocacy with legislative and regulatory bodies

• Response to legislative and regulatory inquiries

and requests

• Cybersecurity Assessments and Roadmap

• Advisory assistance to UTC members

• Platform for peer knowledge sharing and

mentoring

Needs UTC Initiatives

Date post:	09-Dec-2016
Category:	Documents
Upload:	vuthuy
View:	226 times
Download:	2 times

Critical Infrastructure Cybersecurity by Nadya Bartol

Documents