Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Transcription

1 Cyber Security For Utilities Risks, Trends & Standards IEEE Toronto March 22, 2017 Doug Westlund Senior VP, AESI Inc.

2 Agenda Cyber Security Risks for Utilities Trends & Recent Incidents in the Utility Sector Standards Q & A SLIDE 2

3 Physical & Cyber Security for Utilities SLIDE 3

4 The Threat Landscape SLIDE 4

5 The Threat Landscape SLIDE 5

6 The LDC Attack Surface Third Party Vendors Privacy Risk External Risk External Risk LDC Customers (Residential, Commercial, Industrial) LDC Corporate Applications and Technology (IT) Insider Risk LDC Operational Applications and Technology (OT) System Risk Distributed Energy Resources - MicroGrids Communications Risk Unpatched Risk Legacy Risk Bulk Electric System ICCP Connection External Risk TS Connection SLIDE 6

7 Chronology of a Typical Cyber Attack Development of Target Gain Access with Discovery Arm Cyber Weapons & Launch Attack Exploit Cover Up SLIDE 7

8 Trends & Recent Incidents In the Utility Sector SLIDE 8

9 Cyber Attacks on Utilities SLIDE 9

10 Cyber Attacks on Utilities SLIDE 10

11 Cyber Attacks on Utilities Compromised Hydro One computer shows difficulty of tracking hackers SLIDE 11

12 Cyber Security & Overall Risk Management Computer crimes/ hacking have emerged for the first time as a top-10 risk Cyber risk is fast moving, impossible to predict, and difficult to understand, but the damage can be immense SLIDE 12

13 Trends & Future Considerations Advanced Persistent Threats Growing Attack Surface Liabilities Financial Risk Resources / Budgets Business & Operational Risk SLIDE 13

14 Philosophy & Culture of Cyber Security It is a Risk Management issue, not an IT issue Executive Team / Management Team / Board support is crucial It is a continuous process requiring increasing maturity levels, not a one and done DOE C2M2 Maturity Levels MIL0: Not Performed MIL1: Initiated MIL2: Repeatable MIL3: Managed / Adaptive Can emulate existing safety programs SLIDE 14

15 Standards SLIDE 15

16 Bulk vs Non-Bulk Electric System Standards Utility Types Bulk System Generators, Transmission Entities Non-Bulk System Distribution Entities Examples OPG, Hydro One Toronto Hydro Mandatory Cyber Security Standards NERC CIP Ontario: OEB Framework Rest of North America: None (NIST = de facto) SLIDE 16

17 NERC CIP Standards CIP v6 CIP CIP CIP CIP CIP CIP CIP CIP CIP CIP CIP Title Bulk Electric System (BES) Cyber System Categorization Security Management Control Personnel & Training (Access Management) Electronic Security Perimeter(s) Physical Security of BES Cyber Systems System Security Management Cyber Security Incident Reporting and Response Planning Recovery Plan for BES Cyber System Configuration Change Management & Vulnerability Assessment Information Protection Physical Security of Transmission Stations SLIDE 17

18 NIST Cybersecurity Framework NIST Framework for Improving Critical Infrastructure Cybersecurity Identify:1. Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy Protect:2. Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology Detect:3. Anomalies and Events, Security Continuous Monitoring, Detection Processes Respond:4. Response Planning, Communications, Analysis, Mitigation, Improvements Recover:5. Recovery Planning, Improvements, Communications SLIDE 18

19 SLIDE 19

20 Thank You Doug Westlund Senior VP AESI Inc ext 278 SLIDE 20