Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Similar documents
LESSONS LEARNED IN SMART GRID CYBER SECURITY

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Cybersecurity for the Electric Grid

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Grid Security & NERC

NERC CIP Information Protection

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program

Critical Infrastructure Protection Version 5

Cybersecurity Fundamentals

Statement for the Record

Cybersecurity Overview

Cyber Threats? How to Stop?

Digital Wind Cyber Security from GE Renewable Energy

Smart Grid Standards and Certification

Defending Our Digital Density.

IoT Utility Day. Securing Critical Infrastructure. Nadya Bartol, CISSP, CGEIT. Vice President of Industry Affairs and Cybersecurity Strategist

Industrial Defender ASM. for Automation Systems Management

Combating Cyber Risk in the Supply Chain

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Cyber Security of Industrial Control Systems (ICSs)

Smart Grid vs. The NERC CIP

Chapter X Security Performance Metrics

Standard CIP Cyber Security Systems Security Management

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

FERC Hydroproject Cyber Security [FERC 3A Section 9 versus CIP v5]

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Cybersecurity: Federalism as Defense-in-Depth

SECURING THE SUPPLY CHAIN

Cloud for Government: A Transformative Digital Tool to Better Serve Communities

Standard CIP Cyber Security Security Management Controls

NERC Overview and Compliance Update

Security Standardization and Regulation An Industry Perspective

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Peter J. Buerling Director, Records & Information Compliance. ReliabilityFirst Workshop April 15, 2016

Cyber security for digital substations. IEC Europe Conference 2017

The Cost of Denial-of-Services Attacks

Changing face of endpoint security

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

THE TRIPWIRE NERC SOLUTION SUITE

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cyber Security Maturity Model

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Critical Cyber Asset Identification Security Management Controls

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Security in grid control centers: Spectrum Power TM Cyber Security

Standard CIP Cyber Security Critical Cyber As s et Identification

Enabling Security Controls, Supporting Business Results

Bringing Cybersecurity to the Boardroom Bret Arsenault

Standard CIP Cyber Security Systems Security Management

Cisco Smart Grid. Powering End-to-End Communications. Annette Winston Sr. Mgr., Product Operations Customer Value Chain Management

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Practical SCADA Cyber Security Lifecycle Steps

Chapter X Security Performance Metrics

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

History of NERC December 2012

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

PROTECTING BRANDS IN CYBERSPACE

OPERATIONS CONTROL CENTER

Standard CIP 007 3a Cyber Security Systems Security Management

Green California Summit. Paul Clanon Executive Director California Public Utilities Commission April 19, 2011

IaaS Buyer s Checklist.

Cyber Security for Renewable Energy Systems

Altitude Software. Data Protection Heading 2018

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Welcome to the webinar! We will start within a few minutes

Cyber and Physical Security: An Integrated Approach Tim Rigg Managing Director, Enterprise Protective Services

Architektura bezpieczeństwa dla otwartych zintegrowanych systemów administracji publicznej

EPRI Research Overview IT/Security Focus. Power Delivery & Energy Utilization Sector From Generator Bus Bar to End Use

How will cyber risk management affect tomorrow's business?

Standard CIP Cyber Security Critical Cyber As s et Identification

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

Standard CIP 007 4a Cyber Security Systems Security Management

Information Security Is a Business

Security Standards for Electric Market Participants

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

playbook OpShield for NERC CIP 5 sales PlAy

NERC Staff Organization Chart Budget

ENISA S WORK ON ICS AND SMART GRID SECURITY

SGS CYBER SECURITY GROWTH OPPORTUNITIES

What It Takes to be a CISO in 2017

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

June 2 nd, 2016 Security Awareness

CIP Standards Development Overview

NERC Staff Organization Chart

Secure Product Design Lifecycle for Connected Vehicles

NERC Staff Organization Chart 2015 Budget

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cyber Attacks on Energy Infrastructure Continue

OpenText Buys Guidance Software

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Transcription:

Cyber Security Update Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Agenda Timeline Regulatory / Compliance Environment Smart Grid Threats Priorities 2

Cyber Security Industry Timeline 2002 Reliance on mechanical controls Department of Homeland Security Created to protect infrastructure 2007 Smart grid implementations started occurring State- sponsored Denial of Service attacks, millions of botnet victims found 2012 Advancement of Digital Technology Regulatory/Compliance environment escalating 2017 Prominent use of interconnected grid technology More effective Advanced Persistent Threats 2022 Microgrids, Neighborhood generation Cyber infrastructure is mission critical 3

Regulatory / Compliance Environment Federal Critical Infrastructure Protection (CIP) Protects the bulk electric system Department of Energy (DOE) 417 Protocol Provides a mechanism for reporting cyber/physical disturbances on FE s portion of the bulk electric system State Ohio Senate Bill 171 Regulates the registration of copper sales PaPUC Readiness and Self-Certification Attestation of planning capabilities for physical, cyber, emergency response and business continuity Local Records Compliance Retrieval and archival of information for regulatory purposes Opportunities Reduce/Mitigate Risk Protect/Ensure Reliability to the Bulk Electric Network Reduce Loss of Revenue SO X Entity level controls 4

Total NERC Reliability Enforcement Actions Year # Notice of Penalties # Violations Source: NERC Website 2007 0 0 2008 40 110 2009 220 780 2010 260 810 2011 200 1,370 Total 720 3,070 NOTE: Estimates 5

Smart Grid Modernization Challenges In-House Systems Electromechanical Control System Aging Infrastructure Mobile Workforce Critical Infrastructure Bi-Directional Communication Microgrids Instantaneous Information Full Deployment of Smart Grid 2002 2012 2022 Bring Your Own Device Integrating Cyber Resources Cloud Computing Advanced Persistent Threats 6

Smart Grid Technology Landscape Technical controls are required to meet the cyber security challenges. Isolation of layers provide protection of components and data. Users Level 2 is protected from Level 1 by firewalls and Intrusion Protection System. Security Control of Level 1 & 2 ensures monitoring and protection of these ntks. EMS Ntk. (Level 2), Substation Access Control (Level 3) and the Substation Ntk. (Level 4) host Digital Assets. Access to devices within Level 4 is strictly controlled via device in Level 3. Level 5 communicates to a segmented DMZ Level 6 communicates only with Level 5. Level 6 AMI Level 4 Substation Network Level 3 Substation Access Control Level 2 EMS Network Level 1 Corporate Network Access Control Head End System 7 Level 5 Collectors

Threats Customers Breach Impact Heartland Payment Systems Inc. Credit Card Transaction Processor Custom Malware Designed to avoid anti-virus Installed on sensitive internet facing systems = At least 100 million credit and debit card numbers exposed Recovery cost $12.6 million in 1 st quarter after breach Revenue Sony Entertainment Inc. Video Game company Multiple breaches Forced service shutdown Victim of Hacktivism = Recovery cost at least $171 million Playstation Network offline 24 days Operations Natanz Nuclear Enrichment Plant Iran Stuxnet Highly sophisticated APT Targeted Siemens SCADA = Damaged Iranian centrifuges Disrupted Iranian nuclear material production 8

Question Are We Secure 9

Answer Historical Evidence No evidence of major cyber security incidents in North America that affected reliability of the grid. Technological Improvements Cyber components enable constant monitoring to ensure reliability of grid Cyber components give real-time information for load prediction models Regulatory Changes Transparency visibility of program and efforts to secure the grid Forced Compliance required controls implemented Yes, But 10

Priorities Invest in Technology Advancement of Cyber Security Network People and Processes Learn From Mistakes Address Compliance Issues ASAP Measure and Report Raise Profile of Cyber Security Tie to Key Performance Indicators Mandatory Employee Training Summary Invest 2-4% spent on technology/ resources for cyber security Compliance Foster a culture of compliance Governance Annual review of cyber security with the Board of Directors 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback