Cyber Security Over Time

Transcription

1 Cyber Security Over Time GridSecCon 2013 Office of Energy Infrastructure Security October 16,

2 Global Internet Usage Estimated that there are approximately 3 Billion users worldwide as of September

3 Setting the Stage - Motivation With 3 Billion users in the world it is impossible to know what motivates people to do certain things /12/22/cold-boost-metabolism/

4 The Odds - Few Against the Many At Thermopylae in the late Summer of 480 B.C., Leonidas, the Spartan king, held out for three days with a mere 300 Hoplites against thousands of Persian fighters led by King Xerxes /09/leonidas-and-battle-atthermopylae.html

5 Today Few Against the Many Defending the onslaught: Skill, Tools, Imagination MISSION%20STATEMENT.aspx 5

6 Defense A Dynamic Posture 6 Past success should not be the basis for future defense The Maginot Line relied on past engagements and assumptions for success The Attackers adapted to the defenses and executed a work around As a defender, always expect the unexpected

7 Intelligence, Creativity, Skill The attacker gathered intelligence of how the defenses were deployed and operated Creative strategy to leverage gathered intelligence Skill to adapt tools, tactics, and procedures Defense requires this same mindset 7

8 Hack and Destroy! 8

9 State of the Union July

10 Dynamic Approach to Security 10 September 2012 Chairman Wellinghoff created the Office of Energy Infrastructure Security (OEIS) separated from compliance (more detail later) to quickly adapt to changing threats OEIS Staffed December 2012 currently 18 Why? Share lessons learned, strategies, and practices for cyber and physical security Private Sector / Trade Organizations / Associations Government / Academia / ISACs Vendors / Researchers

11 OEIS Primary Sectors of Focus Electric (generation, transmission, distribution) Hydro-electric (non-federal) Oil and Natural Gas pipelines (interstate) Liquefied Natural Gas 11

12 OEIS: A Unique FERC Office OEIS is non-regulatory and its mission does not include compliance or enforcement actions All OEIS staff is PCII certified Team with our public and private partners to share information, techniques, and lessons learned Perform analysis of the cyber and physical threats Monitor classified and open source information Provide threat briefings to partners (government/private) at the appropriate classification level upon request 12

13 OEIS: A Unique FERC Office (cont d) 13 Cyber security, a holistic approach Lessons learned beyond scope NERC CIP (for electric) Internet to field devices and everything in-between (all connectivity) Architecture reviews (anonymously performed) Reviews already performed Positive feedback Physical Security EMP, GMD, EMI, and Sabotage Physical security reviews (anonymously performed) Modeling for significant node identification (for electric)

14 OEIS: A Unique FERC Office (cont d) Technical input to NIST Cyber Framework development Provide Subject Matter Expertise to support Commission offices Understand interdependencies between all critical sectors and leverage lessons learned 14

15 Questions Barry Kuehnle Federal Energy Regulatory Commission Office of Energy Infrastructure Security * The content in this brief are my views and may not represent the views of the Commission 15