Cybersecurity for Energy Delivery Systems. Michael Assante & Tim Conway (Under contract to DOE through Idaho National Laboratory)
|
|
- Monica Perry
- 6 years ago
- Views:
Transcription
1 Cybersecurity for Energy Delivery Systems Michael Assante & Tim Conway (Under contract to DOE through Idaho National Laboratory) October, 2016
2 Agenda 1. Event deconstruction 2. Mitigations 3. Discussion 2
3 Ukraine Event December 23, 2015
4 Presentation Perspective An interagency team composed of representatives from the NCCIC/ICS-CERT, U.S. Computer Emergency Readiness Team(US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight. Mike Assante and Tim Conway as DOE INL subcontractors added to the team by DOE to bring their electricity sector and SANS experience to bear on this critical incident. This briefing is our post trip report. The mitigation guidance for consideration is our own and is offered as is, as general concepts to simply inform thinking 4
5 Geographic Orientation 5
6 Power System Orientation 6
7 Power System Element: Distribution Source: Modification of an image from the energy sector - specific plan
8 Event Summary Through interviews, the team concluded that a remote cyber attack caused power outages at three Ukrainian distribution entities (Oblenergos) impacting approximately 225,000 customers While power has been restored, all the impacted Oblenergos continue to operate in a degraded state The attack included elements to disrupt power flow and exaggerate the outage by damaging the SCADA DMS and communication infrastructure used to support power dispatching 8
9 Reconnaissance Spearphish Foothold Credentials / Pivot VPN Access / Discovery Operations / firmware Killdisk, UPS, TDOS
10 Attack Steps (x3) Infect, Foothold, C2 Harvest Credentials Achieve Persistence & IT Control Discover SCADA, Devices, Data Develop Attack CONOP Position Execute Attack - SCADA/DMS Dispatcher Client/WS Hijacking - Malicious firmware uploads - KillDisk Wiping of WS & Servers - UPS Disconnects & TDoS 11
11 ICS Kill Chain Mapping (Stage 1) 12
12 ICS Kill Chain Mapping (Stage 2) 13
13 14
14 Keeping Perspective The Ukraine cyber attacks are the first publicly acknowledged intentional cyber attacks to result in power outages. As future attacks occur it is important to scope the impacts of the incident being examined. Power outages should be measured in scale (number of customers and electricity infrastructure involved) and in duration to full restoration. These incidents impacted up to 225,000 customers in three different distribution level service territories lasting several hours. These incidents would be rated on a macro scale as low in terms of power system impacts as the outage impacted a very small number of overall power consumers in Ukraine and the duration was limited. We are confident that the companies impacted would have rated these incidents as high or critical to their business and reliability of their systems. 15
15 F
16 How Sophisticated Was It? 17 F
17 Rating this Attack Sophistication 1 CONOP 3 2 ICS Customization 2 Effect Summary Some sophistication in the SCADA/DMS hijacking method but the majority of it was not CONOP SOPHISTICATION CUSTOMIZATION Rogue client hijacking demonstrated some customization Electricity outage in three service territories restored in hours EFFECT A complex and successful attack plan 18
18 Guidance & Mitigation Concepts Published Advisories and SCADA/DMS mitigations
19 ICS-CERT Alert 20 F
20 E-ISAC Alert Level 2 NERC Alert (R ) that was released February 9, /api/documents/4199/p ublicdownload 21 1
21 Number One Question Can this happen in North America and doesn t NERC CIP protect us? An audience member at every Ukraine discussion 22 Two clarifying topics: 1. Applicability 2. Which NERC CIP?
22 Applicability of NERC CIP Strategic BES Reliability Standards Development Sufficiency Reviews Early Adopter Program Lessons Learned Program Tactical Compliance Audits Enforcement Determination Standards / RFI Approval FERC Fillings Event Analysis E-ISAC Investigations 23
23 Compliance and Security NERC: A House with many rooms In Support of a Common Mission 24
24 Energy Policy Act 25
25 Bulk Electric System Transmission Elements operated at 100 kv or higher and Real Power and Reactive Power resources connected at 100 kv or higher. This does not include facilities used in the local distribution of electric energy. Five inclusion statements Four exclusion statements 26 F
26 Applicability of NERC CIP For Balancing Authority (BA), Generator Operator (GOP), Generator Owner (GO), Interchange Coordinator or Interchange Authority, Reliability Coordinator (RC), Transmission Operator (TOP), Transmission Owner (TO) *All BES Facilities are in scope For Distribution Provider - UFLS or UVLS systems identified above - Special Protection Systems (SPS) or Remedial Action Schemes (RAS) identified above - Each Cranking Path and group of Elements identified above 27
27 NERC Registration? Source: Modification of an image from the energy sector - specific plan
28 The CIP of Old Critical Assets Bulk Electric System CCA s Covered by CIP Critical Cyber Assets Other Cyber Assets Covered by CIP 29
29 CIP 2 0 H M L
30 Applicability Variations 31
31 ES-C2M2 Model 32
32 Maturity Indicator Level Descriptions Level Name Description MIL0 Not Performed MIL1 has not been achieved in the domain MIL1 Initiated Initial practices are performed but may be ad hoc MIL2 Performed Practices are documented Stakeholders are involved Adequate resources are provided for the practices Standards or guidelines are used to guide practice implementation Practices are more complete or advanced than at MIL1 MIL3 Managed Domain activities are guided by policy (or other directives) Activities are periodically reviewed for conformance to policy Responsibility and authority for practices are clearly assigned to personnel with adequate skills and knowledge Practices are more complete or advanced than at MIL2 33
33 ES-C2M2 view of CIP H L
34 Qualified Answer Can this happen in North America and doesn t NERC CIP protect us? An audience member at every Ukraine discussion If the CIP High requirements were in place at the targeted location, and the adversary attempted the same attack actions without modification they would have been stopped. 35
35 Leverage What You Have Standards Regulation and enforcement Information sharing construct Exercises and Drills Training 36
36 Attack Elements Discussion Tools & Tech Spearphish Credential Theft Control & Operate Ukraine Event Significant Events based on publicly available reporting. VPN Access Workstation Remote 37 F
37 You are the Defensive Coordinator 38 38
38 Spearphish Targeted spearphish Timely Sense of urgency Well written Legitimacy Trusted sender Training Awareness training Phishing testing Spearphish Web based attacks Google rankings Page hijack DNS redirect Local system redirect Drive by downloads Anticipated Contested territory Isolate and control Filtering Detection Based Reputation Based 39
39 Credential Theft Targeted malware Malware variants Modular capabilities Keystroke logger Network capture Remediate YARA & AV Change PW Credential theft Pass the hash Pw cracking Privilege escalation Hash file attacks Credential Theft Anticipated Normalize net and directory activity Alert on the abnormal Defense in Depth Directory Segmentation Zones of Trust 40
40 VPN Access Trusted Access Authenticating as a trusted user Leveraging approved communication paths Strengthen Two factor Dedicated Tokens VPN Access Alternate remote access methods Target a trusted user with VPN access Target a trusted vendor with VPN access Anticipated Why is it there Activate at time of use Trust Jump Host No Split Tunneling 41
41 Remote Access Remote Capabilities Utilizing approved tools Appearing as an approved process Utilizing approved user credentials Harden Disable remote access Block at perimeter fw Workstation Remote Access Manipulating remote capabilities Scheduled tasks to call out Reverse shell Exploiting vulnerabilities to gain access Anticipated Conservative operations Sectionalizing Manage Configure Host FW Monitor config changes 42
42 Control Misuse of the Application Utilizing the technology in a way it was not intended Manipulating the data to cause a misoperation App Security Logic for confirmation AOR Control and Operate Integrity loss Manipulate data in transit Leverage the communications paths and unauthenticated protocols to initiate commands Anticipated Manual operations Load Shed Communication Path encryption Protocol encryption 43
43 Tools and Tech Cyber enabled everything IP reliant voice communications Network connected building control systems Field device manipulation Anticipated Blackstart plans Islanding Mutual Aid Eliminate Filter calls by source Disconnect BCS from net Disable remote mgmt Tools and Tech Availability / misuse Firmware level manipulation Impact power delivery internal to facility Impede restoration due to communication losses Device Disable remote FW updates ATS, Backup Gen Secondary Comms 44
44 Review the Tape of the Adversary Past Critical Infrastructure campaigns Data Breaches ICS Specific malware Kill Chain analysis 45 45
45 What will your attack look like 4. Adversary Intent 5. External Drivers 46
46 System Variables System Vendor In many cases, vendo specific design criteria will determine system requirements Applications Third p applica require operational Infrastructure Physical System Design Decisions Operating Procedures Control Philosophy System Management hing, change ol, monitoring, ng, malware ction, account anagement 47
47 Altering any element effects the overall security of the system. With each element having dependencies and effects on the security of the other elements of the overall system. Foundation Invest in People Foundation Develop sound policies and procedures 48
48 Take Action! 49
49 Moving From Stage 1 to Stage 2 Stage 1 Adversary has successfully performed the necessary elements of the Stage 1 Kill chain To have an ICS effect the adversary needs to move into the elements of the Stage 2 ICS Kill Chain The great unknown Map Environment Understand ICS Operation Trusted connections Vendor access Support personnel remote access System backup or alternate site replication tasks System Mgmt communications patching, monitoring, alerting, configuration and change mgmt Data historians Direct access dial up Waterholing attacks Social Engineering Stage 2 When the adversary has identified a path into the ICS environment the Stage 2 ICS Kill Chain elements can be acted upon
50 Opportunities to Disrupt IT Preparation Target selection Unobservable target mapping Malware development and testing Hunting and Gathering Lateral Movement and Discovery Credential Theft and VPN access Control system network and host mapping Sequence Pre Work Upload additional attack modules - KillDisk Schedule KillDisk wipe Schedule UPS load outage Attack Launch Issue breaker open commands Modify field device firmware Perform TDoS Scheduled UPS and KillDisk Hrs. Event min hrs. 6 mo 9 mo 12 mo Spear phishing Delivery of phishing Malware launch from infected office documents Establish foothold ICS Preparation Unobservable malicious firmware development Unobservable DMS environment research and familiarization Unobservable attack testing and tuning Attack Position Establish Remote connections to operator HMI s at target locations Prepare TDoS dialers Target Response Connection sever Manual mode / control inhibit Cyber asset restoration Electric system restoration Constrained operations Forensics Information sharing System hardening and prep
51 Lessons Learned Training Planning and Analysis Load Shed EOP Blackstart 52
52 Lessons Learned Translated Cyber contingency analysis (continuous analysis and preparing the system for the next event) Cyber failure planning (modeling and testing cyber system response to network and asset outages) Cyber conservative operations (Intentionally eliminating planned and unplanned changes, as well as stopping any potentially impactful processes) Cyber load shed (Eliminating all unnecessary network segments, communications, and cyber assets that are not operationally necessary) Cyber RCA (Root Cause Analysis forensics to determine how an impactful event occurred and ensure it is contained) Cyber blackstart (cyber asset base configurations and bare metal build capability to restore the cyber system to a critical service state) Cyber mutual aid (ability to utilize ISACs, peer utilities, law enforcement and intelligence agencies, as well as contractors and vendors to respond to large scale events) 53 F
53 Prepare to Defend the Effect Component Mitigation N Mitigation N+1 Mitigation N + X Spear phish Training Filter System Spec Credential Theft Remediate PW Defense in Depth Protection Devices VPN Access Strengthen Trust RCA / EOP Workstation Remote Access Control and Operate Harden Manage Conservative Operations / Sectionalizing App Security Communication Manual Operations / Load Shed Tools and Tech Eliminate Device Black Start / Mutual aid 54 F
54 Ten items for your to do list Register and test E-ISAC access Contact local FBI & ICS-CERT Review internal IR plans Review alerts, documents, and NERC Level 2 alert response progress Identify and review electronic access points Develop procedure to disconnect Review / develop full system restore capabilities Participate in exercises Work with NERC training staff to train operators Ask for help 55
55 питання Questions Attack
56 References & Products NCCIC/ICS-CERT INCIDENT ALERT: IR-Alert-H P UKRAINIAN POWER OUTAGE EVENT, February 12, 2016 (TLP=GREEN) High-level summary of the incident elements Mitigation guidance Detection pointers & indicators (IOCs) NERC E-ISAC: Mitigating Adversarial Manipulation of Industrial Control Systems as Evidenced By Recent International Events, February 9, 2016 (TLP=RED) Tactics used by actors with mitigation options ICS-CERT BlackEnergy YARA signature: Initial Findings of the US Delegation examining the events of December 23 rd 2015, Power Point Presentation, February 2016 E-ISAC & SANS Defense Use Case: 57
57 Guidance Documents Research & Development CEDS Incident Coordination Deployment 58
58 Cyber Incident Coordination Research & Development CEDS Incident Coordination Deployment Coordinate response with federal and industry partners. Share information and facilitate access to technical sector specific expertise while ensuring: Unity of effort; and Unity of message Collaboration with industry for participation in national and regional preparedness projects including cyber exercises. ESCC Playbook Exercise New York State Cybersecurity Exercise (NYSCE) Dams Sector Information Sharing Drill North American Electric Reliability Corporation (NERC) Grid Security Exercise (GridEx) 59
59 60 Office of Electricity Delivery & Energy Reliability U.S. Department of Energy
Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG
Why Should You Care About Control System Cybersecurity Tim Conway ICS.SANS.ORG Events Example #1 Dec 23, 2015 Cyber attacks impacting Ukrainian Power Grid Targeted, synchronized, & multi faceted Three
More informationBILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers
This document is scheduled to be published in the Federal Register on 07/28/2016 and available online at http://federalregister.gov/a/2016-17854, and on FDsys.gov BILLING CODE 6717-01-P DEPARTMENT OF ENERGY
More informationCIP Cyber Security Security Management Controls. A. Introduction
CIP-003-7 - Cyber Security Security Management Controls A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-7 3. Purpose: To specify consistent and sustainable security
More informationTitle. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.
Critical Infrastructure Protection Getting Low with a Touch of Medium Title CanWEA Operations and Maintenance Summit 2018 January 30, 2018 George E. Brown Compliance Manager Acciona Wind Energy Canada
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationDisclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...
CIP-002-4 Cyber Security Critical Cyber Asset Identification Rationale and Implementation Reference Document September, 2010 Table of Contents TABLE OF CONTENts Disclaimer... 3 Executive Summary... 4 Introduction...
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationStandard CIP Cyber Security Critical Cyber As s et Identification
A. Introduction 1. Title: Cyber Security Critical Cyber Asset Identification 2. Number: CIP-002-4 3. Purpose: NERC Standards CIP-002-4 through CIP-009-4 provide a cyber security framework for the identification
More informationCyber Security Incident Report
Cyber Security Incident Report Technical Rationale and Justification for Reliability Standard CIP-008-6 January 2019 NERC Report Title Report Date I Table of Contents Preface... iii Introduction... 1 New
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationStandard CIP Cyber Security Critical Cyber As s et Identification
A. Introduction 1. Title: Cyber Security Critical Cyber Asset Identification 2. Number: CIP-002-4 3. Purpose: NERC Standards CIP-002-4 through CIP-009-4 provide a cyber security framework for the identification
More informationPanelists. Moderator: Dr. John H. Saunders, MITRE Corporation
SCADA/IOT Panel This panel will focus on innovative & emerging solutions and remaining challenges in the cybersecurity of industrial control systems ICS/SCADA. Representatives from government and infrastructure
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationCyber Attacks on Energy Infrastructure Continue
NERC Cybersecurity Compliance Stephen M. Spina February 26, 2013 www.morganlewis.com Cyber Attacks on Energy Infrastructure Continue According to DHS, the energy sector was the focus of 40% of the reported
More informationARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin
ARC VIEW DECEMBER 7, 2017 Critical Industries Need Active Defense and Intelligence-driven Cybersecurity By Sid Snitkin Keywords Industrial Cybersecurity, Risk Management, Threat Intelligence, Anomaly &
More informationAn Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)
An Operational Cyber Security Perspective on Emerging Challenges Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL) Johns Hopkins University Applied Physics Lab (JHU/APL) University
More informationCyber and Physical Security: Lessons Learned From the Electric Industry. Joel dejesus Dinsmore & Shohl LLP Washington, DC
Cyber and Physical Security: Lessons Learned From the Electric Industry Joel dejesus Dinsmore & Shohl LLP Washington, DC joel.dejesus@dinsmore.com For the Energy and Mineral Law Foundation, Kentucky Mineral
More informationThis section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationi-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS
i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS siemens.com/ruggedcom INTERACTIVE REMOTE ACCESS INTELLIGENT ELECTRONIC DEVICES Intelligent Electronic Devices (IEDs) Devices that can provide real-time
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationTHE TRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED BUSINESS INTELLIGENCE SOLUTION BRIEF THE TRIPWIRE NERC SOLUTION SUITE A TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on
More informationCIP Cyber Security Critical Cyber Asset Identification. Rationale and Implementation Reference Document
CIP-002-4 Cyber Security Critical Cyber Asset Identification Rationale and Implementation Reference Document NERC Cyber Security Standards Drafting Team for Order 706 December 2010 This document provides
More informationSecuring the North American Electric Grid
SESSION ID: TECH-R02 Securing the North American Electric Grid Marcus H. Sachs, P.E. SVP and CSO North American Electric Reliability Corporation @MarcusSachs Critical Infrastructure s Common Denominator
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationAUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response
AUTHENTICATION Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response Who we are Eric Scales Mandiant Director IR, Red Team, Strategic Services Scott Koller
More informationStatement for the Record
Statement for the Record of Seán P. McGurk Director, Control Systems Security Program National Cyber Security Division National Protection and Programs Directorate Department of Homeland Security Before
More informationMethods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment
S&L Logo Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment Date: October 24, 2017 Authors/Presenters: J. Matt Cole, PE
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationSharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data
Sharing What Matters Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data Dan Gunter, Principal Threat Analyst Marc Seitz, Threat Analyst Dragos, Inc. August 2018 Today s Talk at
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More information2011 North American SCADA & Process Control Summit March 1, 2011 Orlando, Fl
Beyond Compliance Greg Goodrich Supervisor, Enterprise Security New York Independent System Operator 2011 North American SCADA & Process Control Summit March 1, 2011 Orlando, Fl Roles of the NYISO Reliable
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationSecuring IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems
Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems Eroshan Weerathunga, Anca Cioraca, Mark Adamiak GE Grid Solutions MIPSYCON 2017 Introduction Threat
More informationIncident Response Services to Help You Prepare for and Quickly Respond to Security Incidents
Services to Help You Prepare for and Quickly Respond to Security Incidents The Challenge The threat landscape is always evolving and adversaries are getting harder to detect; and with that, cyber risk
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationCYBERSECURITY MATURITY ASSESSMENT
CYBERSECURITY MATURITY ASSESSMENT ANTICIPATE. IMPROVE. PREPARE. The CrowdStrike Cybersecurity Maturity Assessment (CSMA) is unique in the security assessment arena. Rather than focusing solely on compliance
More informationAdditional 45-Day Comment Period and Ballot November Final Ballot is Conducted January Board of Trustees (Board) Adoption February 2015
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationAlberta Reliability Standard Cyber Security Incident Reporting and Response Planning CIP-008-AB-5
A. Introduction Consultation Draft April 5, 2016 1. Title: 2. Number: 3. Purpose: To mitigate the risk to the reliable operation of the bulk electric system as the result of a cyber security incident by
More informationCIP Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-6 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationCIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement
The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationStandard Development Timeline
CIP-003-67(i) - Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when
More informationTechnical Guidance and Examples
Technical Guidance and Examples DRAFT CIP-0- Cyber Security - Supply Chain Risk Management January, 0 NERC Report Title Report Date I Table of ContentsIntroduction... iii Background... iii CIP-0- Framework...
More informationSECURING THE SUPPLY CHAIN
SECURING THE SUPPLY CHAIN BY Jerome Farquharson, CISSP, Donald Dustin Williams, PE, AND Courtney Buser The advance of smart grids, smart devices and increasingly interconnected systems provides exceptional
More informationCOUNTERING IMPROVISED EXPLOSIVE DEVICES
COUNTERING IMPROVISED EXPLOSIVE DEVICES FEBRUARY 26, 2013 COUNTERING IMPROVISED EXPLOSIVE DEVICES Strengthening U.S. Policy Improvised explosive devices (IEDs) remain one of the most accessible weapons
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationGrid Security & NERC
Grid Security & NERC Janet Sena, Senior Vice President, Policy and External Affairs Southern States Energy Board 2017 Associate Members Winter Meeting February 27, 2017 Recent NERC History Energy Policy
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationScope Cyber Attack Task Force (CATF)
Scope Cyber Attack Task Force (CATF) PART A: Required for Committee Approval Purpose This document defines the scope, objectives, organization, deliverables, and overall approach for the Cyber Attack Task
More informationOPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith
OPUC Workshop March 13, 2015 Cyber Security Electric Utilities Portland General Electric Co. Travis Anderson Scott Smith 1 CIP Version 5 PGE Implementation Understanding the Regulations PGE Attended WECC
More informationCyber security for digital substations. IEC Europe Conference 2017
Cyber security for digital substations IEC 61850 Europe Conference 2017 Unrestricted Siemens 2017 siemens.com/gridsecurity Substation Digitalization process From security via simplicity 1st generation:
More informationStandard Development Timeline
CIP 003 7 Cyber Security Security Management Controls Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard
More informationStandard Development Timeline
CIP-008-6 Incident Reporting and Response Planning Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. Foundation for Resilient Societies ) Docket No.
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION Foundation for Resilient Societies ) Docket No. AD17-9-000 COMMENTS OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION IN OPPOSITION
More informationNew Brunswick 2018 Annual Implementation Plan Version 1
New Brunswick Energy and Utilities Board Reliability Standards, Compliance and Enforcement Program New Brunswick 2018 Annual Implementation Plan Version 1 December 28, 2017 Table of Contents Version History...
More informationAdditional 45-Day Comment Period September Final Ballot is Conducted October/November Board of Trustees (Board) Adoption November 2014
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationCloudSOC and Security.cloud for Microsoft Office 365
Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationExercise of FERC Authority for Cybersecurity of the North American Electric Grid
Exercise of FERC Authority for Cybersecurity of the North American Electric Grid Thomas S. Popik Joseph M. Weiss George R. Cotter FERC Docket RM15-14-000 www.resilientsocieties.org Agenda Overall Concerns
More informationA. Introduction. Page 1 of 22
The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure
More informationCIP Cyber Security Security Management Controls. Standard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationEFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave
EFFECTIVELY TARGETING ADVANCED THREATS Terry Sangha Sales Engineer at Trustwave THE CHALLENGE PROTECTING YOUR ENVIRONMENT IS NOT GETTING EASIER ENDPOINT POINT OF SALE MOBILE VULNERABILITY MANAGEMENT CYBER
More informationReal-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant
Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant Agenda The Presentation Beginning with the end. Terminology Putting it into Action Additional resources and information
More informationCLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS
National Cybersecurity and Communications Integration Center (NCCIC) Hunt and Incident Response Team (HIRT) CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS Jonathan
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationSecurity & Phishing
Email Security & Phishing Best Practices In Cybersecurity Presenters Bill Shieh Guest Speaker Staff Engineer Information Security Ellie Mae Supervisory Special Agent Cyber Crime FBI 2 What Is Phishing?
More informationChapter X Security Performance Metrics
Chapter X Security Performance Metrics Page 1 of 9 Chapter X Security Performance Metrics Background For the past two years, the State of Reliability report has included a chapter for security performance
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationCIP Cyber Security Information Protection
A. Introduction 1. Title: Cyber Security Information Protection 2. Number: CIP-011-2 3. Purpose: To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements
More informationCyber Security of Industrial Control Systems (ICSs)
Cyber Security of Industrial Control Systems (ICSs) February 23, 2016 Joe Weiss PE, CISM, CRISC, ISA Fellow Managing Partner Applied Control Solutions, LLC (408) 253-7934 joe.weiss@realtimeacs.com Applied
More informationHeavy Vehicle Cyber Security Bulletin
Heavy Vehicle Cyber Security Update National Motor Freight Traffic Association, Inc. 1001 North Fairfax Street, Suite 600 Alexandria, VA 22314 (703) 838-1810 Heavy Vehicle Cyber Security Bulletin Bulletin
More informationERO Enterprise IT Projects Update
ERO Enterprise IT Projects Update Stan Hoptroff, Vice President, Chief Technology Officer and Director of Information Technology Technology and Security Committee Meeting November 6, 2018 Agenda ERO IT
More informationJim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas
Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas Facts expressed in this presentation are Facts Opinions express in this presentation are solely my own The voices I
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationMarch 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices
March 6, 2019 Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices On July 21, 2016, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability
More informationLanguage for Control Systems
Cyber Security Procurement e Language for Control Systems Rita Wells Idaho National Laboratory Program Sponsor: National Cyber Security Division Control Systems Security Program Agenda Background Foundation
More informationGrid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016
Grid Security & NERC Council of State Governments The Future of American Electricity Policy Academy Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016 1965 Northeast blackout
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft
More informationJuly 12, Order No. 822, Revised Critical Infrastructure Protection Reliability Standards, 154 FERC 61,037, at P 64 (2016).
!! July 12, 2017 VIA ELECTRONIC FILING Veronique Dubois Régie de l'énergie Tour de la Bourse 800, Place Victoria Bureau 255 Montréal, Québec H4Z 1A2 Re: Remote Access Study Report Dear Ms. Dubois: On June
More informationThis draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationIPM Secure Hardening Guidelines
IPM Secure Hardening Guidelines Introduction Due to rapidly increasing Cyber Threats and cyber warfare on Industrial Control System Devices and applications, Eaton recommends following best practices for
More informationChapter X Security Performance Metrics
Chapter X Security Performance Metrics Page 1 of 10 Chapter X Security Performance Metrics Background For many years now, NERC and the electricity industry have taken actions to address cyber and physical
More informationIndustry role moving forward
Industry role moving forward Discussion with National Research Council, Workshop on the Resiliency of the Electric Power Delivery System in Response to Terrorism and Natural Disasters February 27-28, 2013
More informationA. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider
The Background, VRF/VSLs, and Guidelines and Technical Basis Sections have been removed for this informal posting. The Project 2016-02 is seeking comments around the concept of the Requirement/Measure
More informationSecuring Industrial Control Systems
L OCKHEED MARTIN Whitepaper Securing Industrial Control Systems The Basics Abstract Critical infrastructure industries such as electrical power, oil and gas, chemical, and transportation face a daunting
More informationFTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.
FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More information