IoT Utility Day. Securing Critical Infrastructure. Nadya Bartol, CISSP, CGEIT. Vice President of Industry Affairs and Cybersecurity Strategist

Transcription

1 IoT Utility Day Securing Critical Infrastructure Nadya Bartol, CISSP, CGEIT Vice President of Industry Affairs and Cybersecurity Strategist July 11, 2016

2 Securing Critical Infrastructure Nadya Bartol, CISSP, CGEIT Vice President of Industry Affairs and Cybersecurity Strategist 2013 Cisco and/or its affiliates. All rights reserved. 2

3 External Drivers Governance U.S. Executive Order European Network and Information Security Directive Canada Cybersecurity Strategy Public/Private UTILITY Regulatory FERC NIS Directive (EU) State PUCs NARUC NRC NERC CIP Standards and Guidelines ISACs, ISAOs Public-private partnerships Industry working groups IEC ISO ENISA NIST ISA99

4 Old Systems Cisco and/or its affiliates. All rights reserved. 4

5 New Networks Physically Secured Utility Data and Control Center ER DCC Router One or more servers Supporting SCADA Master Control Synchrophasor Management Energy Management Demand Response DLR Management DA Master Control Meter Data Management System Physical Security Management Push-to-Talk Switch Physically Exposed Utility Smart Grid Network Alcatel Lucent White Paper, Estimating Smart Grid Communication Network Traffic, March 17, 2014 PMUs Distribution SCADA IEDs DLR IEDs Mobile Workforce Meters Transmission SCADA IEDs DG, DS, EVCS IEDs DA IEDs CCTV Camera

6 Business Need for Data and Efficiency Operations Engineering Telecom IT IT-Based Technology Cybersecurity Converged Organization

7 Evolving Threat ODNI report on foreign industrial espionage Mandiant Advanced Persistent Threat Report Cylance Operation Cleaver Report Iran Centrifuges (Stuxnet) Saudi Aramco Target JP Morgan Electricity Chase Grids (Havex/Black Bear) OPM Anthem Group CareFirst BlueCross Ukraine Utilities Technology Council 2016

8 Different Security Implications Security Priorities Confidentiality, Availability, Integrity Reliability and Safety System, process, and user behavior IT Diverse and unpredictable OT Limited and predictable Equipment lifetime 3-5 years Up to 40 years User population Lots of users who come and go Few well-defined users Who works there Impact of incidents Primary concerns IT, Computer Science, and other assorted backgrounds Usually no impact to physical world Data breaches, disclosure of sensitive information, intellectual property theft Electrical Engineering, Power Engineering, and utility backgrounds Impact of physical world is a real possibility Power loss, water contamination, gas leakage, real life accidents, something going boom

9 UTC s Security Survey Who is in charge of security in your utility? Does your top security person report to the Board and how frequently? Do you have security policies and have they been approved by the Board? How much of your IT and OT budget do you spend on security? Do you ask security-type questions in procurements? How does your Supply Chain Risk/Vendor Management Program map to your enterprise risk program?

10 Reporting Level of Topmost Security Individual CEO COO CRO CIO CFO CISO Other C- Level (Source: Utilities Technology Council) Below C- Level

11 Is there a Board member responsible for Security? Yes No 2 0 < $250 million $250 million - $1 billion $1 billion - $2.5 billion Annual Revenue > $2.5 billion (Source: Utilities Technology Council)

12 Perception of Risk: Average of all responses 7 Increasing Perception of Risk Current Threats 3-5 Years Out (Source: Utilities Technology Council)

13 Security Spending is Driven by Compliance: Agree or Disagree? Strongly Agree Somewhat Agree Somewhat Disagree Strongly Disagree (Source: Utilities Technology Council)

14 Getting there Collaboration People Education Regulation Process Governance Culture Change Technology Upgrades Technology