Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Size: px
Start display at page:

Download "Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities"

Transcription

1 Cybersecurity Basics For Energy Managers Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Michael Mylrea Manager, Cybersecurity & Energy Technology Pacific Northwest National Lab August 15, 2017 Tampa Convention Center Tampa, Florida

2 Case Studies & Lessons Learned Ukraine Grid Cyber Attack The Industrial Control System Cyber Kill Chain. Michael J. Assante and Robert M. Lee October 2015 Lessons Learned Know and Monitor Your Critical Cyber Assets Do Not Run A Flat Network - Segregate & Secure IT/OT Networks Cyber Policies Can Reduce Human Error Hackers Often Use Very Basic Tactics to Hack Very Vulnerable Systems Implement Password Management Controls, Firewalls, Encryption & Configuration Policies 2

3 Case Studies & Lessons Learned Devil s Ivy MIRAI SHODAN RESEARCH Lessons Learned Cybersecurity starts with smart procurement and provisioning of devices Though it is easy to find vulnerabilities, you can make it tough to exploit them Patch early, Patch often, Patch Smart Security is a continuous process that requires active management of cyber risk 3

4 Case Study: DOE Integrated Joint Cybersecurity Coordination Center Cyber Physical ECC Buildings Cybersecurity Framework 3 Open Source Tools to Help Protect Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Lessons Learned & Recommendations Government lacks clear cybersecurity requirements for buildings and OT cybersecurity Insider attacks, social engineering & physical access can defeat cybersecurity defenses Establish clear roles and responsibilities for buildings cybersecurity 4

5 IJC3 Lessons Learned Applying Facility OT Cyber Assessment Tools & Methodologies Security is a Continuous Process Fostering a Culture of Security is Imperative. The following are a couple of easy to use tools to facilitate this process Procedures Organizational Level tools DOE Buildings Cybersecurity Framework Provides an actionable framework for establishing OT building and facility specific OT cybersecurity PROCEDURES -Implements new executive order for cybersecurity for critical infrastructure Policies DOE Cybersecurity Maturity Model Provides high level baseline and guidance for developing cybersecurity POLICIES for buildings OT Adapted from over 50 cyber best practices to assess buildings/facilities IT and OT Measuring policies and procedures in place INL/DHS CSET Helps assess the policies and procedures that are in place against industry and government best practices Systems level Assessment Facility Level tools COTS Cyber Tools/Vendor Solutions There are are many COTS, each with their own strengths and weaknesses.but no panacea. Limitations: Cost, know-how and risk of causing damage - scanning legacy buildings controls

6 Buildings Cybersecurity Framework

7 BCF Realizes Goals of the Recent Executive Order Requiring Implementation of the NIST Cyber Framework The executive order encourages implementation of the NIST Framework which is the core of BCF and holds cabinet secretaries and agency directors responsible for the security of their organizations' information assets, as is the current law. "Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of information or systems," the revised draft order states. Domains are logical groupings of cybersecurity practices, based on the foundation of National Institute of Standards and Technology (NIST) Framework.

8 Organization of the BCF Framework Framework Based on NIST Cybersecurity Framework and existing best practices Domains Framework contains 5 domains Building Blocks Three or more per domain. Unique to each domain Each Domain Includes a Checklist & Security Indicator Level (SIL) Security Level 1 Security Level 2 Security Level 3

9 BCF Webtool Features 9

10 References SANS Institute 20 Critical Security Controls ISA :2013 ISO/IEC 27001:2013 Michael Chipley; Daryl Haegley; And Eric J. Nickel, Your Building Control Systems Have Been Hacked. Now What? DOE Cybersecurity Capability Maturity Model (C2M2) DOE Buildings Cybersecurity Maturity Model (B-C2M2) DOE EERE BTO Buildings Cybersecurity Whitepaper (forthcoming) DOE EERE Building Cybersecurity Framework Overview (forthcoming) DOE s U.S. Department of Defense, United Facilities Criteria: Cybersecurity of Facility-Related Control Systems (UFC) DoD Instruction , Risk Management Framework (RMF) for DoD Information Technology (IT) DoD Facility-Related Control Systems Cybersecurity Guidelines Executive Order and (May 2017) Michael J. Assante and Robert M. Lee. The Industrial Control System Cyber Kill Chain. October 2015 National Institute of Standards and Technology Special Publication R4 Security and Privacy Controls for Federal Information Systems and Organizations 2013 National Institute of Standards and Technology Special Publication R2 Guide to Industrial Control Systems (ICS) Security 2015 National Institute of Standards and Technology Special Publication SP United Facilities Criteria Direct Digital Control for HVAC and Other Building Control Systems Government Accountability Office Report 15-6 Federal Facility Cybersecurity

11 Contact Info Michael Mylrea Pacific Northwest National Lab 11

Breaking the Blockchain: Real-World Use Cases, Opportunities and Challenges

Breaking the Blockchain: Real-World Use Cases, Opportunities and Challenges SESSION ID: BAC-W12 Breaking the Blockchain: Real-World Use Cases, Opportunities and Challenges Dr. Michael Mylrea Senior Advisor for Cybersecurity & Blockchain Lead Pacific Northwest National Laboratory

More information

Securing Buildings & Facilities From Emerging Cyber Threats

Securing Buildings & Facilities From Emerging Cyber Threats Session 5: [Session Title] Securing Buildings & Facilities From Emerging Cyber Threats Michael Mylrea Manager, Cybersecurity & Energy Technology Pacific Northwest National Lab August 10, 2016 Rhode Island

More information

Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement

Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement FEMP Cybersecurity Program Review Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa,

More information

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby

More information

NIST Security Certification and Accreditation Project

NIST Security Certification and Accreditation Project NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive

More information

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening

More information

The NIST Cybersecurity Framework

The NIST Cybersecurity Framework The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce

More information

New Guidance on Privacy Controls for the Federal Government

New Guidance on Privacy Controls for the Federal Government New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office,

More information

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information

More information

Cybersecurity & Privacy Enhancements

Cybersecurity & Privacy Enhancements Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their

More information

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ENERGY AUTOMATION - SMART GRID Restricted Siemens AG 20XX All rights reserved. siemens.com/answers Frederic Buchi, Energy Management Division, Siemens AG Cyber

More information

Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response

Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response Michael Chipley, PhD PMP LEED AP President January 6, 2014 mchipley@pmcgroup.biz 1 Risk Assessments Multiple Standards and

More information

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding

More information

Cyber Risk in the Marine Transportation System

Cyber Risk in the Marine Transportation System Cyber Risk in the Marine Transportation System Cubic Global Defense MAR'01 1 Cubic.com/Global-Defense/National-Security 1 Cubic Global Defense Global Security Team Capabilities Program Management Integration

More information

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation Cybersmart Buildings: Securing Your Investments in Connectivity and Automation Jason Rosselot, CISSP, Director Product Cyber Security, Johnson Controls AIA Quality Assurance The Building Commissioning

More information

The GenCyber Program. By Chris Ralph

The GenCyber Program. By Chris Ralph The GenCyber Program By Chris Ralph The Mission of GenCyber Provide a cybersecurity camp experience for students and teachers at the K-12 level. The primary goal of the program is to increase interest

More information

Cybersecurity Risk Management:

Cybersecurity Risk Management: Cybersecurity Risk Management: Building a Culture of Responsibility G7 ICT and Industry Multistakeholder Conference September 25 2017 Adam Sedgewick asedgewick@doc.gov Cybersecurity in the Department of

More information

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE May 11, 2017 EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority

More information

Updates to the NIST Cybersecurity Framework

Updates to the NIST Cybersecurity Framework Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity

More information

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EXECUTIVE ORDER [13800] - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS

More information

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity

More information

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation CYBERSMART BUILDINGS Securing Your Investments in Connectivity and Automation JANUARY 2018 WELCOME STEVE BRUKBACHER Application Security Manager Global Product Security Johnson Controls 1 WHY ARE WE HERE

More information

Cybersecurity Auditing in an Unsecure World

Cybersecurity Auditing in an Unsecure World About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity

More information

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy August 10, 2017 version WORKING DOCUMENT Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy This working

More information

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1 Agenda Federal Landscape Cybersecurity

More information

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security Michael John SmartSec 2016, Amsterdam www.encs.eu European Network for Cyber Security The European

More information

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER FOR IMMEDIATE RELEASE May 11, 2017 THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority

More information

Smart Grid Standards and Certification

Smart Grid Standards and Certification Smart Grid Standards and Certification June 27, 2012 Annabelle Lee Technical Executive Cyber Security alee@epri.com Current Environment 2 Current Grid Environment Legacy SCADA systems Limited cyber security

More information

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS

More information

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -

More information

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS UTILITY CYBER SECURITY INITIATIVE (UCSI) CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) ASSESSMENT FOR THE

More information

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA The African Internet Governance Forum - AfIGF2017 5 Dec 2017, Egypt Agenda Why? Threats Traditional security? What to secure?

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system

More information

NW NATURAL CYBER SECURITY 2016.JUNE.16

NW NATURAL CYBER SECURITY 2016.JUNE.16 NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING

More information

DFARS Cyber Rule Considerations For Contractors In 2018

DFARS Cyber Rule Considerations For Contractors In 2018 Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors

More information

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc. Cyber Security For Utilities Risks, Trends & Standards IEEE Toronto March 22, 2017 Doug Westlund Senior VP, AESI Inc. Agenda Cyber Security Risks for Utilities Trends & Recent Incidents in the Utility

More information

The Perfect Storm Cyber RDT&E

The Perfect Storm Cyber RDT&E The Perfect Storm Cyber RDT&E NAVAIR Public Release 2015-87 Approved for public release; distribution unlimited Presented to: ITEA Cyber Workshop 25 February 2015 Presented by: John Ross NAVAIR 5.4H Cyberwarfare

More information

IPM Secure Hardening Guidelines

IPM Secure Hardening Guidelines IPM Secure Hardening Guidelines Introduction Due to rapidly increasing Cyber Threats and cyber warfare on Industrial Control System Devices and applications, Eaton recommends following best practices for

More information

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom WEAT Webinar Who Goes There? Access Control in Water/Wastewater Siemens AG 2018. siemens.com/ruggedcom ACCESS CONTROL WEBINAR TABLE OF CONTENTS TOPIC Why Access Control? Risks If Not Used Factors of Authentication

More information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not

More information

Statement for the Record

Statement for the Record Statement for the Record of Seán P. McGurk Director, Control Systems Security Program National Cyber Security Division National Protection and Programs Directorate Department of Homeland Security Before

More information

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL) An Operational Cyber Security Perspective on Emerging Challenges Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL) Johns Hopkins University Applied Physics Lab (JHU/APL) University

More information

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing

More information

Cybersecurity and Hospitals: A Board Perspective

Cybersecurity and Hospitals: A Board Perspective Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,

More information

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions November 2002 International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management Introduction Frequently Asked Questions The National Institute of Standards and Technology s

More information

Looking Forward: USACE MILCON Cybersecurity Integration

Looking Forward: USACE MILCON Cybersecurity Integration Energy Exchange 2017 - Track 4 - Cyber and Control System Technologies, Session 2 - Understanding and implementing the RMF Process Looking Forward: USACE MILCON Cybersecurity Integration Mr. Daniel Shepard

More information

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW

More information

ANATOMY OF AN ATTACK!

ANATOMY OF AN ATTACK! ANATOMY OF AN ATTACK! Are Your Crown Jewels Safe? Dom Kapac, Security Evangelist WHAT DO WE MEAN BY CROWN JEWELS? Crown jewels for most organizations are critical infrastructure and data Data is a valuable

More information

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT

More information

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org The big three in their own words ISO 27000: family of standards to help organizations

More information

Cyber Hygiene: A Baseline Set of Practices

Cyber Hygiene: A Baseline Set of Practices [DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright

More information

Cybersecurity for Department of Defense Microgrids: An Army Perspective

Cybersecurity for Department of Defense Microgrids: An Army Perspective Cybersecurity for Department of Defense Microgrids: An Army Perspective Lori Ross O Neil with Cliff Glantz, David McKinnon, Fleur DePeralta, Mark Watson, Paul Boyd, Emily Barrett and Darlene Thorsen Pacific

More information

Cyber Security & Homeland Security:

Cyber Security & Homeland Security: Cyber Security & Homeland Security: Cyber Security for CIKR and SLTT Michael Leking 19 March 2014 Cyber Security Advisor Northeast Region Office of Cybersecurity and Communications (CS&C) U.S. Department

More information

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security Cyber Security Presented by Brian Bostwick OSIsoft Market Principal for Cyber Security Cyber Security Trauma in the News Saudi Aramco Restores Network After Shamoon Malware Attack Hacktivist-launched virus

More information

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services European Union Agency for Network and Information Security Securing Europe s Information society 2

More information

Industry Best Practices for Securing Critical Infrastructure

Industry Best Practices for Securing Critical Infrastructure Industry Best Practices for Securing Critical Infrastructure Cyber Security and Critical Infrastructure AGENDA - Difference between IT and OT - Real World Examples of Cyber Attacks Across the IT/OT Boundary

More information

Outline. Other Considerations Q & A. Physical Electronic

Outline. Other Considerations Q & A. Physical Electronic June 2018 Outline What is CUI? CUI Program Implementation of the CUI Program NIST SP 800-171A (Draft) Federal Acquisition Regulation update Basic and Specified CUI Marking Destruction Controlled Environments

More information

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009

More information

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Presentation Objectives Introductions Cyber security context Cyber security in the maritime sector Developing cybersecurity

More information

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security. Interactive Remote Access Compliance Workshop October 27, 2016 Eric Weston Compliance Auditor Cyber Security 2 Agenda Interactive Remote Access Overview Review of Use Cases and Strategy 1 Interactive Remote

More information

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities

More information

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity

More information

Protecting Smart Buildings

Protecting Smart Buildings Protecting Smart Buildings The next frontier of critical infrastructure security Suzanne Rijnbergen - MBA visibility detection control Who am I? Global Director Professional Services @SecurityMatters (ForeScout)

More information

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Florida Hospital Association Welcome! John Wilgis Director, Emergency Management Services Florida Hospital Association

More information

DoD Strategy for Cyber Resilient Weapon Systems

DoD Strategy for Cyber Resilient Weapon Systems DoD Strategy for Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Systems Engineering Conference October 2016 10/24/2016 Page-1

More information

Federal Mobility: A Year in Review

Federal Mobility: A Year in Review Federal Mobility: A Year in Review Link: https://www.dhs.gov/csd-mobile Link: https://www.dhs.gov/publication/csd-mobile-device-security-study Vincent Sritapan Cyber Security Division Science and Technology

More information

Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017

Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Cybersecurity Basics for Energy Managers Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa, Florida Smart Phones UNCLASSIFIED

More information

RISK MANAGEMENT FRAMEWORK COURSE

RISK MANAGEMENT FRAMEWORK COURSE RISK MANAGEMENT FRAMEWORK COURSE Secure Managed Instructional Systems, LLC Consulting Training Staffing Support 3350 Riverview Pkwy Suite 1900 * Atlanta, Georgia 30339 * Phone: 800-497-3376 * Email: semais@semais.net.*

More information

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Security Metrics. February 25, Annabelle Lee Senior Technical Executive Security Metrics February 25, 2015 Annabelle Lee Senior Technical Executive alee@epri.com Cybersecurity Capability Maturity Model (C2M2) Overview Expansion Project and Comparative Analysis Framework Implementation

More information

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i

More information

SYSTEMS ASSET MANAGEMENT POLICY

SYSTEMS ASSET MANAGEMENT POLICY SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security

More information

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers This document is scheduled to be published in the Federal Register on 07/28/2016 and available online at http://federalregister.gov/a/2016-17854, and on FDsys.gov BILLING CODE 6717-01-P DEPARTMENT OF ENERGY

More information

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries

More information

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice

More information

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW Version 2, Release 5 28 October 2016 Developed by for the DoD 28 October 2016 Developed by for the DoD Trademark Information Names, products,

More information

Medical Device Cybersecurity: FDA Perspective

Medical Device Cybersecurity: FDA Perspective Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological

More information

TACIT Security Institutionalizing Cyber Protection for Critical Assets

TACIT Security Institutionalizing Cyber Protection for Critical Assets TACIT Security Institutionalizing Cyber Protection for Critical Assets MeriTalk Cyber Security Exchange Quarterly Meeting December 18, 2013 Dr. Ron Ross Computer Security Division Information Technology

More information

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21 National and Cyber Security Branch Presentation for Gridseccon Quebec City, October 18-21 1 Public Safety Canada Departmental Structure 2 National and Cyber Security Branch National and Cyber Security

More information

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks. Presenter Jakob Drescher Industry Cyber Security 1 Cyber Security? Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks. Malware or network traffic

More information

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability

More information

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

existing customer base (commercial and guidance and directives and all Federal regulations as federal) ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of

More information

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions DFARS 252.204.7012 Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions By Jonathan Hard, CEO And Carol Claflin, Director of Business Development H2L

More information

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS Can You Answer These Questions? 1 What s my company s exposure to the latest industrial cyber threat? Are my plants

More information

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational

More information

ISA99 - Industrial Automation and Controls Systems Security

ISA99 - Industrial Automation and Controls Systems Security ISA99 - Industrial Automation and Controls Systems Security Committee Summary and Activity Update Standards Certification Education & Training Publishing Conferences & Exhibits September 2016 Copyright

More information

FISMA Cybersecurity Performance Metrics and Scoring

FISMA Cybersecurity Performance Metrics and Scoring DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity

More information

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

UNCLASSIFIED. FY 2016 Base FY 2016 OCO Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense : February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development

More information

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center What to expect from today: The ugly truth about planning Why you need a plan that works Where

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

Cybersecurity Test and Evaluation Achievable and Defensible Architectures Cybersecurity Test and Evaluation Achievable and Defensible Architectures October 2015, ITEA Francis Scott Key Chapter Mr. Robert L. Laughman for COL Scott D. Brooks, Director, Survivability Evaluation

More information

Appendix 12 Risk Assessment Plan

Appendix 12 Risk Assessment Plan Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY

More information

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1. Securing the Smart Grid Understanding the BIG Picture The Power Grid The electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change

More information

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,

More information

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment S&L Logo Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment Date: October 24, 2017 Authors/Presenters: J. Matt Cole, PE

More information

Toward All-Hazards Security and Resilience for the Power Grid

Toward All-Hazards Security and Resilience for the Power Grid Toward All-Hazards Security and Resilience for the Power Grid Juan Torres Associate Laboratory Director, Energy Systems Integration National Renewable Energy Laboratory December 6, 2017 1 Grid Modernization

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services? Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?) Don Davidson Deputy Director, CS Implementation and CS/Acquisition

More information

Retrofitting Ground Systems to improve Cyber Security

Retrofitting Ground Systems to improve Cyber Security Retrofitting Ground Systems to improve Cyber Security Michael Worden Security Engineer 25 February 2014 Copyright 2014 Raytheon Company. Published by The Aerospace Corporation with permission.. Customer

More information

Emerging Issues: Cybersecurity. Directors College 2015

Emerging Issues: Cybersecurity. Directors College 2015 Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity

More information

Back to Basics: Basic CIS Controls

Back to Basics: Basic CIS Controls Back to Basics: Basic CIS Controls Chad Waddell Enterprise Consultant Center for Internet Security 2 https://www.cisecurity.org/ Non-profit organization founded in 2000 Employs closed crowdsourcing model

More information