2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity

7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity

1/44

La rry ClintonPresident & CEO

Internet Security A llia ncelclinton@ isa lliance.org

7 0 3 - 9 0 7 - 7 0 2 82 0 2 - 2 3 6 - 0 0 0 1

www.isalliance.org


2/44

ISA Board of DirectorsTy Saga low , Esq. Chair, Executive Vice President & Chief Innovation Officer, Zurich North America

Tim M cKnight, 1 st Vice Chair, Vice President & Chief Informa tion Securi ty O ff icer , Northrop G rumman

Jeff Brow n, Secretary/Treasurer, Vice President, Infra structure and Chief Informa tion Security O ff icer, Ra ytheo n

Pr adeep Khosl a , Found i ng D ir ect or of Cy l ab , Carnegie M ellon Univ ersity

Mar c Sachs, V i ce Pr esi dent G ove r nment A f f a i r s, Verizon Lt . G en. Char l ie Croom (Ret .) , V ice President Cyber Secur ity, Solut ions Lockheed Martin

Er i c G uer r ino, Ma naging D i rector Systems and Technology , Bank of N ew York M ellon

Jo e Buo no mo , Pr esid e nt, DCR

Bruno Mahlmann, V i ce President Cyber Securi ty D i v isi on, Dell

Kevin Meehan, V ice President Informat ion Technology & Chief Informat ion Secur ity O f f icer , Boeing

Rick Ho wa r d , iD ef e nse M a na g e r, V eriSign

Just in Somaini , Chie f Informat ion Securi ty O f f i cer , Symantec

G a r y M cA lum, C hie f Se cur it y O f f i ce r, USAA

Pau l D av is, C hi ef Techno logy O f f i ce r , NJVC

A ndy Pur dy , C hi ef C ybe rsecur it y St ra t eg ist , CSC

John Havermann, II , V ice President & Di rector , Cyber Progra ms , Intel l igence & Informat ion, SAIC


3/44


4/44

The Internet

Changes Everything Concepts o f Pr iva cy

Concep ts o f Na t iona l Defense

Concep ts o f Se lf

Concep ts of Economics

Cyb er security is a n economic/ stra teg ic issue asmuch a s a n op era tiona l/ technica l one


5/44

Modern Power Systems

are vulnerable Histor ica l ly , ICS were comp osed of p rop r ietary

technolog ies w ith limited connection to a norg a niza tions corp ora te netwo rks or the Internet.In tod a y s wo rld, ha rd wa re a nd sof twa rep la tf orms, interconnected p ub lic a nd p riva tenetw orks, a nd remote sup p ort a re movingorg a niza tions f rom a n isola ted environment into ag lob a l, inte rconnected environment. Theseef f iciencies rep resent new cy b er security risks tha tw ere not p resent in their isola ted environment.


6/44

Smart Grid problems

There are mul tip le wa y s sma rt g r id tech ma yintrod uce cy b er vulnera b ilities into the sy stem. Ana tta cker could g a in a ccess to a remote o rintermed iate sma rt g r id d evice a nd cha ng e d a tava lues a nd p a ss incorr ect d a ta up strea m andca use op era tors or a utoma tic p rog ra ms to ta keincorrect actions


7/44

Control systems

An attacker that gains access to the communicationcha nnels could ord er meter ing d evices tod isconnect customers, ord er p reviously shed loa d tocome b a ck on l ine p rema turely , or ord er d isp ersedg enera tion sources to turn of f d uring p eriod s w henloa d is a p p roa ching g enera tion ca p a city causinginstability, outages on the bulk system.----FERCCong ressiona l Testimony M a y 2 0 1 1


8/44

What is our goal?

Relia b ility ?

Resilience?

Comp lia nce?

Security ?


9/44

Why is the Internet

Vulnerable? It w as built tha t w ay

Protoco ls rema in the sa me a nd a re b e ing a d a p ted

Use is up d rama t ica lly New d evices ma ke access g reater

W e dont pa y f o r secur ity

Incentives Incentives Incentives

It s not b a d technolog y , i ts technolog y und erattack


10/44

ISAlliance

Mission Statement

ISA seeks to integrate advanced technologywith business economics and public policy to

create a sustainable system of cyber security.


11/44

Cyber security economics

is not what we hopedThis p a p er p rop osed ty p es of a ctivit ies a ssocia ted

with a p p rop r iate ly a utoma ted a nd d ist r ib utedd a ta (threa t a na ly sis, intervention & coor d ina tionof p revent ive a ct ions) Ag g reg a t ion a nd a na lysisof such d a ta might lead to a n imp roved a b i li ty toshow how investments in cy b er hea lth ca n red uceop er a ting costs Such insig hts w ould like lystreng then consumer d ema nd f or hea lthy p rod uctsa nd services a nd red uce risks-- -DHS Cy b erSecurity Eco-Sy stem W hite Pa p er 2 0 1 1


12/44

The cyber security

economic equation All the economic incentives f a vor the a tta ckers

At ta cks a re cheap , easy , p rof i ta b le and cha nces

of g ett ing ca ug ht a re sma ll Defense is a g enera t ion b ehind the a ttacker, the

p er imeter to d ef end is end less, RO I is ha rd to show

Until we solve the cy b er economics eq ua t ion we

w ill not have cy b er security DHS ha s i t w rong ---ef f iciency a nd secur i ty a re

neg a t ively rela ted


13/44

Bus Efficiency Drives

increased INsecurity VO IP

Ex tend ed Business Sup p ly Cha ins

Ex tend ed customer integra t ion Cloud computing


14/44

These economics apply

in the electric sector O ver the p a st f ew d eca d es, the Electr ici ty Sector

ha s b ecome increa sing ly d ep end ent on d ig ita l

technolog y to red uce costs, increa se ef f iciency a ndma inta in rel ia b i l ity d uring the g enera tion,

tra nsmission a nd d istrib ution of electric pow erElectricity Sector organizations recognize these

ef f iciencies rep resent new cy b er security risks tha tw ere not p resent --- DO E Cyb ersecurity RiskM a na g ement Process G uid eline Sep temb er 2 0 1 1

Sma rt G rid


15/44

State of cyber security in

utilities (PWC 2011) Ex ec a re conf ide nt in inf o secur i ty BP

They ha ve ef f ect ive p la ns in p lace & ex ecut ing i t

HO W EVER: Event f requency is up

M ore sop hist ica ted a ttacks a re occurr ing

O p erat ing exp end i tures crucia l to ea r ly d etect ion

a re more l ikely to b e d ef erred tha n a t a ny t imesince 2 0 0 8


16/44


utilities (PWC 2011) 7 5 % of Ex ecs a re e ither very (3 2 % ) or somewha t

conf id ent tha t their inf o security is ef f ective

2 5 % a re not even somewha t conf id ent Awa reness of b reaches up (8 0 % knowledg eab le)

Insider a t ta cks up (p a r tner / sup p l iers up 6 7 % )

The conf ide nce ra t ing , w hi le high, is a ctua l ly d ow n

1 3 % since 20 0 6 (8 4% to 75 % )


17/44


utilities (PWC 2011) For the thi rd y ea r in a row secur i ty sp end ing

d ef erments a nd cutb a cks a re high

Defer red secur ity init ia t ives 4 3 % in 2 00 9 ; 48 % in20 10 ; and 4 8% in 20 11

Red uced f und ing f or secur i ty int ia t ives 3 8 % in20 09 , 43 % in 20 10 and 46 % in 20 11

4 8 % p red ict secur i ty sp end ing w i ll increa se in thenex t 1 2 months (d ow n f rom 5 4 % who pre d icted a nincrea se la st y ea r)


18/44

Cloud Computing is

Growing 4 4 % of ut i li ties rep ort tha t their org a niza t ions use

cloud comp uting ,

4 0 % sa y cloud comp ut ing ha s imp roved theirsecurity

6 2 % of a l l IT p rofessiona ls sa y they ha ve l i tt le orno conf id ence of the security of the cloud ---

includ ing 4 8 % who ha ve alrea d y p la ced theird a ta in the cloud

Dif f icul t to enf orce p rovid er secur ity p ol icies


19/44

Advanced Persistent

ThreatWhat is it? W ell f und ed

W e ll o rga nized- -- sta te supp orted

Hig hly sop hist ica ted-- -N O T ha ckers Thousa nd s of custom versions of ma lwa re

Esca la ted sop hist ica tion to resp ond to d ef enses

M a inta in thei r p resence and ca l l-home

They ta rge t vulnera b le p eop le more tha nvulnera b le sy stems


20/44

APT

The most revea l ing d i f f erence is tha t when y oucomb a t the A PT, y our p revention ef f orts w il leventually fail. APT successfully compromises anyta rg et it d esires ----M -trend Rep orts

1 8 % of APT a t ta cks a re a g a inst the energ y sector

5 % APT a tta cks vs. the chemica l sector

4 9 % of ut i li t ies sa y APT is d riving their securityspending


21/44

Utilities Response to APT

Uti li ties a re counter ing the A PT p r incip a l ly throug hvirus p ro tection (5 1 % ) a nd either intrusiond etection/ p revention solutions(2 7 % )

Conventiona l inf orma tion security d ef enses d ontw or k vs. APT. The a tta cker s successf ully eva d e a lla nti-virus netw ork intrusion a nd other b estp ra ctices, rema ining insid e the ta rg ets netw orkw hile the ta rg et b el ieves they ha ve b eenera d ica ted.---M -Trend Rep orts 2 0 1 1


22/44

The Good News:We know (mostly) what to do!

PW C/ G l Inf o rm Study 20 06 - -- best p r actices 10 0%

CIA 2 0 0 7 --- 9 0 % ca n b e stop p ed

V erizo n 2 0 0 8 8 7 % ca n b e sto p p e d

N SA 2 0 0 9 - -- 8 0 % ca n b e p r evented

Secre t Service / Verizon 20 1 0 - - -9 4 % ca n be

stop p ed or mit iga ted b y a d op t ing inex p ensive b estp ra ctices a nd sta nd a rd s a lrea d y ex ist ing


23/44

Why are We not doing it?

M a ny technica l a nd netw ork ma na g ement solutions

tha t w ould g rea tly enha nce security a lrea d y ex ist in

the ma rketp la ce b ut a re not a lwa y s used d ue to cost

and complexity.

O ba ma Ad ministrat ion Cyber Spa ce Policy ReviewMay 30 , 20 09


24/44


O veral l, cost wa s most f req uent ly ci ted a s theb ig g est ob sta cle to e nsuring the security of critica lnetworks.

M a king the b usiness ca se f or cy b er security rema insa ma jor cha lleng e, b eca use ma na g ement of ten d oesnot und ersta nd either the sca le of the threa t or thereq uirements f or a solution.

The numb er one b a rr ier is the security f olks w hoha vent b een a b le to communica te the urg ency w ellenoug h a nd they ha vent actua lly b een a b le top ersua d e the d ecision ma kers of the r ea lity o f thethrea t. ----f rom CSIS & PW C Survey s 2 0 1 0


25/44


The cha llenge in cy b er security is not tha t b estp ra ctices need to b e d evelop ed , b ut instea d l ies incommunica ting these b est p ra ctices, d emonstra ting

the va lue in imp lementing them a nd encoura g ingind ivid ua ls a nd org a nizations to a d op t them.

The Information Systems Audit and Control Association (ISACA)

q uoted in Dept. of Commerce G reen Pa p er - M a rch 2 0 1 1


26/44

Outdated Structures

In 9 5 % of comp a nies the CFO is not d irect ly involved ininformation security

2 / 3 o f comp a nies d ont ha ve a r isk p lan

8 3 % of comp a nies d on t ha ve a cross org a niza t iona lp r iva cy / secur i ty tea m

Less tha n ha ve a forma l r isk ma na g ement p lan, 1 / 3

of the ones w ho d o d ont consid er cyb er in the p la n

In 20 09 & 20 10 , 50 % - 66% o f US compa nies de fe rr edor red uced investment in cy b er security


27/44

Financial Management of

Cyber Risk (2008) O ut lines a n enterp r ise wid e p rocess to a ttack

cy b er security b roa d ly a nd economica lly

CFO stra teg ies

HR stra te g ie s

Lega l/ compl iance st ra teg ies

O p era t ions/ techno logy st ra teg ies

Communica t ions stra teg ies Risk M a na g ement/ insura nce strateg ies


28/44

Electric Sector Risk

Management Framework Risk ma na g ement is ca rr ied o ut a s a hol ist ic,

org a nization-w ide a ctivity tha t a d d resses r isk f romthe stra teg ic leve l to the ta ctica l leve l, ensuringtha t risk-b a sed d ecision-making is integ ra ted intoevery a sp ect of the org a nization Seniorex ecutives a re resp onsib le f or how cy b er securityrisk impacts the organizations mission and business

f unctions ea ch org a niza tion esta b lishes a riskex ecutive function tha t d evelop s a n org a niza tion-w id e stra teg y to a d d ress risks.


29/44

ISA Social Contract


30/44

Trade Assoc/Civil

Liberties White Paper


31/44

Path Forward--Regulation

W here reg ulat ion is b a ked into the economics ofthe ind ustry , it ca n b e usef ul in cy b er securit y

The p rob lem is not esta b l ishing thesta nd a rd s/ reg ula tions-- -its a ssuring a ctua l costrecovery throug h the multi-level sy stem ofreg ula tion (EISA 0 7 p rovid es p a rtia l cost recovery )

Cyb er security is a N ATIO N AL d ef ense issue, not aloca l ra te-p a y er issue; FERC ma y need to p rovid ethoug ht lea d ership to a d d ress economics of cy b er


32/44


33/44

Regulation, regulation

regulationM a ny utilitie s a re sub ject to not only FERC, b ut a lso

EPA (w a ter), NRC (Nuclea r Reg ula to ry Commission)DO T (p ip elines) a nd sta te commissions. Since theelectric g rid is consid ered vita l to na tiona l security ,the DO D is very interested in b ring ing the e lectricind ustry (g rid ) into its US cy b er commandmod el. W ith Ad ministra t ions b i ll the e nerg y sector

is looking a t yet one more reg ula tory ma ster a nda nother r isk mana g ement p la n tha t must b e f i ledw ith DHS a nd sub ject to review b y ind ep end enta ud itors f or comp lia nce.


34/44

Path forward Legislation

House & Sena te b i lls b oth g ra nt new a uthor i tyover reg ula ting p a rts of the d istrib ution sy stemsnot now sub ject to FERC-- -w / House g ra nting morea uthority to FERC---a d d ressing vulnera b il ity/ threa tinf orma tion a nd a l lowing f or cost re covery

Hil l a ct iv ity w i ll be g in this f a l l in House a nd Sena te

Sena te bi l l b eing rol led into the comp rehensive b i ll Cha nces of comp b i ll p a ssing -------- less tha n 50 %


35/44

Admin Leg Proposal--

DisclosureMost cyber attack disclosure requirements are

f ound ed on misconcep tions a b out wha t it iscomp a nies ha ve a vai la b le to d isclose. M ostsop histica ted successf ul cyb er a tta cks g ound etected The tools a nd services f or d etectingthem a re very ex p ensive. M ost comp a nies a reuna b le to te ll whether they ha ve b een the victim of

a successf ul cyb er a tta ck unless they ma ke asp ecia l ef f ort to investiga te, sp end a d d it iona lresources on the effort, and have the necessaryskil ls a nd tools a lrea d y on ha nd .


36/44

Admin Leg Proposal-

The ini tia l signs tha t need to b e p ursued in ord er tod iscover a skil led cy b er a ttack a re ha rd to d ef ine,constantly changing, and often very subtle and thusunsuita b le f or the a nnua l eva lua tion p roced ure theAd ministra t ion p rop oses to rely on. Uncovering ahig hly skilled cy b er a tta ck is currently much moreof a n a rt tha n a science. It ca n req uire intuit ion,

crea t iv ity, a nd a very high d eg ree of motiva t ion.


37/44

The right incentives

M a nd a tor y d isclosure p unishes comp a nies tha t a reg ood a t d etect ing int rusions a nd ma lwa re. Itcrea tes a n incentive not to know , so tha t there is noob liga tion to rep ort. It d iminishes the motiva tion ofinterna l investig a tors, w ho ma y w orr y tha t f ind ingout exa ct ly w ha t ha p p ened ma y d o their comp a nymore ha rm tha n g ood . It a d d s to the ul tima te costs

of d etection too ls a nd services, making comp a niesmore re lucta nt to sp end money on them.


38/44

Path Forward-Incentives

Al thoug h reg ulat ions ma y ra ise the overal lb a seline of security , they may lea d to unintend edconseq uences. For e x a mp le, as a result o f the

NERC CIP standards some utilities are now focusedon meeting reg ula tory req uirements ra ther tha na chieving comp rehensive and ef f ective cy b ersecurity . --- Roa d map to Achieve Energ y Delivery

Sy stems Cyb er Security Sep tember 2 0 1 1


39/44

Path Forwardneed for

collaboration Privacy a nd p ricing sensit ivi ty issues of ten crea te

d isincentives f or or leg a l b a rr iers to d isclosingvulnera b ilities; demonstra ting d irect line b enef its to

the e nerg y org a nization is d if f icult . W ithout theoccurrence of a ca ta strop hic event or a strongb usiness ca se, pub lic a nd p riva te p a rtners w illcontinue to ha ve limited time a nd resources to

invest. ----DO E Roa d ma p 2 0 1 1


40/44

The Right Incentives

G overnment need s to get i ts a ct tog ether

M ore (reg ulat ion) is not necessa r i ly b etter

Ind ust ry & G ovt ha ve a ligned not id ent ica l g oa ls Use regula t ion streamline a s a rewa rd

Consid er how to crea te other incentives, e.g .insura nce, lia b ility , p rocurement, p ermitting

O nly w a y to a d d ress sop hist ica ted threa ts isthrough incentives a nd colla b ora tion


41/44

Information Sharing

W e need to be sure informa t ion b e ing sha red ca n b ep ut into a ction

Dept of Commerce N O I a sks a b out incent ives to sha re

inf o: W rong Q uest ion

Comp a nies w/ l imi ted b ud g ets locked into rea ct ived ef ensive po sture a llow ing f or sig na ture b a sedp erimeter monitor ing a nd i f d etected ma lwa re

era d ica t ion Not help f ul f or mod ern atta ck method s.


42/44

Roach Motel: Bugs Get In Not Out

No wa y to stop de termined intrud ers

Stop them f rom get ting b a ck out (w / da ta) b yd isrup ting a tta ckers comma nd a nd control b a ck out of

our netw orks Id ent if y w eb si tes a nd IP a d d resses used to

communica te w / ma licious cod e

Don t stop a t ta cks we cut the p rof i ts & Increa se the

costs


43/44

The ISA Supply Chain

Strategy/Framework Solve the sup p ly cha in p rob lem in a wa y tha t ALSO

p rod uces other securit y b enef its, thus justif y ing theincrea sed ex p end iture

Businesses a re not suf f ering g rea tly f rom sup p ly cha ina tta cks, b ut a re suf f ering f rom other a tta cks

Key is to ma ke the entire sup p ly cha in secure, i .e.

sup p ly cha in must b e p a rt o f a comp rehensivef ramework


44/44

La rry ClintonPresident & CEO

Internet Security Alliance

lclinton@ isa lliance.org7 0 3 - 9 0 7 - 7 0 2 82 0 2 - 2 3 6 - 0 0 0 1

www.isalliance.org

2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity

Documents

Transcript of 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity