Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Similar documents
Breaking the Blockchain: Real-World Use Cases, Opportunities and Challenges

Securing Buildings & Facilities From Emerging Cyber Threats

Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

NIST Security Certification and Accreditation Project

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

The NIST Cybersecurity Framework

New Guidance on Privacy Controls for the Federal Government

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Cybersecurity & Privacy Enhancements

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cyber Risk in the Marine Transportation System

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

The GenCyber Program. By Chris Ralph

Cybersecurity Risk Management:

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Updates to the NIST Cybersecurity Framework

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Cybersecurity Auditing in an Unsecure World

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Smart Grid Standards and Certification

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

INFORMATION ASSURANCE DIRECTORATE

NW NATURAL CYBER SECURITY 2016.JUNE.16

DFARS Cyber Rule Considerations For Contractors In 2018

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

The Perfect Storm Cyber RDT&E

IPM Secure Hardening Guidelines

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Statement for the Record

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Cybersecurity and Hospitals: A Board Perspective

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

Looking Forward: USACE MILCON Cybersecurity Integration

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

ANATOMY OF AN ATTACK!

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Cyber Hygiene: A Baseline Set of Practices

Cybersecurity for Department of Defense Microgrids: An Army Perspective

Cyber Security & Homeland Security:

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Industry Best Practices for Securing Critical Infrastructure

Outline. Other Considerations Q & A. Physical Electronic

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Protecting Smart Buildings

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

DoD Strategy for Cyber Resilient Weapon Systems

Federal Mobility: A Year in Review

Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017

RISK MANAGEMENT FRAMEWORK COURSE

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

SYSTEMS ASSET MANAGEMENT POLICY

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

Medical Device Cybersecurity: FDA Perspective

TACIT Security Institutionalizing Cyber Protection for Critical Assets

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

ISA99 - Industrial Automation and Controls Systems Security

FISMA Cybersecurity Performance Metrics and Scoring

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Altius IT Policy Collection Compliance and Standards Matrix

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

Appendix 12 Risk Assessment Plan

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Toward All-Hazards Security and Resilience for the Power Grid

SECURITY & PRIVACY DOCUMENTATION

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

Retrofitting Ground Systems to improve Cyber Security

Emerging Issues: Cybersecurity. Directors College 2015

Back to Basics: Basic CIS Controls

Transcription:

Cybersecurity Basics For Energy Managers Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Michael Mylrea Manager, Cybersecurity & Energy Technology Pacific Northwest National Lab August 15, 2017 Tampa Convention Center Tampa, Florida

Case Studies & Lessons Learned Ukraine Grid Cyber Attack The Industrial Control System Cyber Kill Chain. Michael J. Assante and Robert M. Lee October 2015 Lessons Learned Know and Monitor Your Critical Cyber Assets Do Not Run A Flat Network - Segregate & Secure IT/OT Networks Cyber Policies Can Reduce Human Error Hackers Often Use Very Basic Tactics to Hack Very Vulnerable Systems Implement Password Management Controls, Firewalls, Encryption & Configuration Policies 2

Case Studies & Lessons Learned Devil s Ivy MIRAI SHODAN RESEARCH Lessons Learned Cybersecurity starts with smart procurement and provisioning of devices Though it is easy to find vulnerabilities, you can make it tough to exploit them Patch early, Patch often, Patch Smart Security is a continuous process that requires active management of cyber risk 3

Case Study: DOE Integrated Joint Cybersecurity Coordination Center Cyber Physical ECC www.cf.labworks.org http://www.bc2m2.pnnl.gov/ Buildings Cybersecurity Framework 3 Open Source Tools to Help Protect Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Lessons Learned & Recommendations Government lacks clear cybersecurity requirements for buildings and OT cybersecurity Insider attacks, social engineering & physical access can defeat cybersecurity defenses Establish clear roles and responsibilities for buildings cybersecurity 4

IJC3 Lessons Learned Applying Facility OT Cyber Assessment Tools & Methodologies Security is a Continuous Process Fostering a Culture of Security is Imperative. The following are a couple of easy to use tools to facilitate this process Procedures Organizational Level tools DOE Buildings Cybersecurity Framework Provides an actionable framework for establishing OT building and facility specific OT cybersecurity PROCEDURES -Implements new executive order for cybersecurity for critical infrastructure Policies DOE Cybersecurity Maturity Model Provides high level baseline and guidance for developing cybersecurity POLICIES for buildings OT Adapted from over 50 cyber best practices to assess buildings/facilities IT and OT Measuring policies and procedures in place INL/DHS CSET Helps assess the policies and procedures that are in place against industry and government best practices Systems level Assessment Facility Level tools COTS Cyber Tools/Vendor Solutions There are are many COTS, each with their own strengths and weaknesses.but no panacea. Limitations: Cost, know-how and risk of causing damage - scanning legacy buildings controls

Buildings Cybersecurity Framework https://cf.labworks.org

BCF Realizes Goals of the Recent Executive Order Requiring Implementation of the NIST Cyber Framework The executive order encourages implementation of the NIST Framework which is the core of BCF and holds cabinet secretaries and agency directors responsible for the security of their organizations' information assets, as is the current law. "Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of information or systems," the revised draft order states. Domains are logical groupings of cybersecurity practices, based on the foundation of National Institute of Standards and Technology (NIST) Framework.

Organization of the BCF Framework Framework Based on NIST Cybersecurity Framework and existing best practices Domains Framework contains 5 domains Building Blocks Three or more per domain. Unique to each domain Each Domain Includes a Checklist & Security Indicator Level (SIL) Security Level 1 Security Level 2 Security Level 3

BCF Webtool Features https://cf.labworks.org 9

References SANS Institute 20 Critical Security Controls ISA 62443-3-3:2013 ISO/IEC 27001:2013 Michael Chipley; Daryl Haegley; And Eric J. Nickel, Your Building Control Systems Have Been Hacked. Now What? DOE Cybersecurity Capability Maturity Model (C2M2) DOE Buildings Cybersecurity Maturity Model (B-C2M2) DOE EERE BTO Buildings Cybersecurity Whitepaper (forthcoming) DOE EERE Building Cybersecurity Framework Overview (forthcoming) DOE s U.S. Department of Defense, United Facilities Criteria: Cybersecurity of Facility-Related Control Systems (UFC) DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) DoD Facility-Related Control Systems Cybersecurity Guidelines Executive Order 13636 and 13800 (May 2017) Michael J. Assante and Robert M. Lee. The Industrial Control System Cyber Kill Chain. October 2015 National Institute of Standards and Technology Special Publication 800-53 R4 Security and Privacy Controls for Federal Information Systems and Organizations 2013 National Institute of Standards and Technology Special Publication 800-82 R2 Guide to Industrial Control Systems (ICS) Security 2015 National Institute of Standards and Technology Special Publication SP 800-115 United Facilities Criteria 3-410-02 Direct Digital Control for HVAC and Other Building Control Systems Government Accountability Office Report 15-6 Federal Facility Cybersecurity 2014 10

Contact Info Michael Mylrea Pacific Northwest National Lab michael.mylrea@pnnl.gov 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback