Cyber Security Update Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012
Agenda Timeline Regulatory / Compliance Environment Smart Grid Threats Priorities 2
Cyber Security Industry Timeline 2002 Reliance on mechanical controls Department of Homeland Security Created to protect infrastructure 2007 Smart grid implementations started occurring State- sponsored Denial of Service attacks, millions of botnet victims found 2012 Advancement of Digital Technology Regulatory/Compliance environment escalating 2017 Prominent use of interconnected grid technology More effective Advanced Persistent Threats 2022 Microgrids, Neighborhood generation Cyber infrastructure is mission critical 3
Regulatory / Compliance Environment Federal Critical Infrastructure Protection (CIP) Protects the bulk electric system Department of Energy (DOE) 417 Protocol Provides a mechanism for reporting cyber/physical disturbances on FE s portion of the bulk electric system State Ohio Senate Bill 171 Regulates the registration of copper sales PaPUC Readiness and Self-Certification Attestation of planning capabilities for physical, cyber, emergency response and business continuity Local Records Compliance Retrieval and archival of information for regulatory purposes Opportunities Reduce/Mitigate Risk Protect/Ensure Reliability to the Bulk Electric Network Reduce Loss of Revenue SO X Entity level controls 4
Total NERC Reliability Enforcement Actions Year # Notice of Penalties # Violations Source: NERC Website 2007 0 0 2008 40 110 2009 220 780 2010 260 810 2011 200 1,370 Total 720 3,070 NOTE: Estimates 5
Smart Grid Modernization Challenges In-House Systems Electromechanical Control System Aging Infrastructure Mobile Workforce Critical Infrastructure Bi-Directional Communication Microgrids Instantaneous Information Full Deployment of Smart Grid 2002 2012 2022 Bring Your Own Device Integrating Cyber Resources Cloud Computing Advanced Persistent Threats 6
Smart Grid Technology Landscape Technical controls are required to meet the cyber security challenges. Isolation of layers provide protection of components and data. Users Level 2 is protected from Level 1 by firewalls and Intrusion Protection System. Security Control of Level 1 & 2 ensures monitoring and protection of these ntks. EMS Ntk. (Level 2), Substation Access Control (Level 3) and the Substation Ntk. (Level 4) host Digital Assets. Access to devices within Level 4 is strictly controlled via device in Level 3. Level 5 communicates to a segmented DMZ Level 6 communicates only with Level 5. Level 6 AMI Level 4 Substation Network Level 3 Substation Access Control Level 2 EMS Network Level 1 Corporate Network Access Control Head End System 7 Level 5 Collectors
Threats Customers Breach Impact Heartland Payment Systems Inc. Credit Card Transaction Processor Custom Malware Designed to avoid anti-virus Installed on sensitive internet facing systems = At least 100 million credit and debit card numbers exposed Recovery cost $12.6 million in 1 st quarter after breach Revenue Sony Entertainment Inc. Video Game company Multiple breaches Forced service shutdown Victim of Hacktivism = Recovery cost at least $171 million Playstation Network offline 24 days Operations Natanz Nuclear Enrichment Plant Iran Stuxnet Highly sophisticated APT Targeted Siemens SCADA = Damaged Iranian centrifuges Disrupted Iranian nuclear material production 8
Question Are We Secure 9
Answer Historical Evidence No evidence of major cyber security incidents in North America that affected reliability of the grid. Technological Improvements Cyber components enable constant monitoring to ensure reliability of grid Cyber components give real-time information for load prediction models Regulatory Changes Transparency visibility of program and efforts to secure the grid Forced Compliance required controls implemented Yes, But 10
Priorities Invest in Technology Advancement of Cyber Security Network People and Processes Learn From Mistakes Address Compliance Issues ASAP Measure and Report Raise Profile of Cyber Security Tie to Key Performance Indicators Mandatory Employee Training Summary Invest 2-4% spent on technology/ resources for cyber security Compliance Foster a culture of compliance Governance Annual review of cyber security with the Board of Directors 11