Mitigate - Deloitte US...Social Engineering: Phishing employees on enterprise level propagates to...

2019 Deloitte Power & Utilities ConferencePower is not staticDecember 3-4, 2019

Bits, Bytes & Barrels” webinar

Cyber Risks and How Power

& Utility Companies Can

Mitigate

James Turgal, Managing Director, Deloitte & Touche LLP

Copyright © 2019 Deloitte Development LLC. All rights reserved. 3

Contents

Security threat landscape 7

• A multi-faceted business issue

Industry vulnerabilities and threat Vectors 10

What is Your Strategy 13

• What does good cyber security look like?

How do you think About Response and 15 Mitigation?

Industry Impact

Improve Resilience

Build Platforms

Amplify Brand

Derive Insights

Share Information

Embrace Innovation

Orchestrate Change


Cyber Risk & Response Themes

DATA

ECOSYSTEMS

ATTACK SURFACE


Security threat landscapeA multi-faceted national security & business issue


Cyber Risk & Response ThemesOverview of the threat actors, vectors, motivation and impact

Threatactors

Espionage

Financial gain

Corruption of data

Humanerror

Disruption

Making a statement

Stateactors

Hacktivists

Employees &Contractors

Cyber-criminals

Stateactors

Script kiddies

Competition

Customers

Strategic NationalSecurity

Advantage

Motivation


Power & Utility Industry dynamic threat landscapeOverview of the threat actors, vectors, motivation and impact

Vectors

Intellectual Property

Customer data

Services

Financialdata

Network Designdata

Operationalinfo

Reputation

Top 3 threats in TMT:• DDOS Attacks• Web App Attacks• Malware / Crimeware

Further major concerns: • Insider Threats • Data Breaches• Information Leakage• Data localization

Other global threats:• Botnets• Third party threats• Cyber Espionage• Phishing

Threats


Threat Actors / Capabilities in the Energy & Utility Sector


Industry vulnerabilities & threat vectors


Threat Scenario

1. Infection through Intrusion Detection System (IDS)

2. Virus/ Trojan infiltrates industrial control system

3. Social Engineering: Phishing employees on enterprise level propagates to field level manipulation

4. Malicious Update to Firmware in the Field to influence a single substation

5. Cross-sector, cross-border message flooding

6. Compromise equipment through SCADA application

7. Advanced Persistent Threat (APT) to Distribution System Operator (DSO) flexibility management system

8. Plant tripped off-line through compromised vendor remote connection equipment

9. Compromise Distribution Grid Management (DGM) through Supply Chain vulnerabilities

10. Weakened Security during weather related disaster

11. Unauthorized Mass Remote Disconnect through Firmware update

OT Focus IT Focus

100% 100%

Threat Vectors – Energy / Utility Sector and Impacts on Information & Operational Technology


Threat impacts

National Security Impact

Loss of Sensitive & Customer Data

Service Unavailability

Direct Financial Impact

Reputation Damage

Business Impact


What is your strategyWhat does good cyber security look like?


Deloitte’s Cyber Strategy Evolution from Secure, Vigilant and Resilient to…

Is the answer Structural or Strategy or Both?

How do you synchronize Cyber Risk across People, Process and Technology?

What are your thoughts on Digital Ecosystems and Hybrid Infrastructure and Reduction of Attack Surface Area?

Simplification:• Automated System Recovery

(ASR)• Process Simplification• Data Reduction• Access (Least Privilege)• Where is your Data? What

are your most valuable business Assets?

• What protections secure them?

Automation:• Monitoring / Testing /

Validation• Reporting / Identity / Patching

Change Management:• Culture (Mailroom to

Boardroom)• Ownership• Insiders• Training

Third Party Interaction• Re-Balancing Risk or Sharing

Risk• Managed Services – Are you

sharing the risk or Chasing the Threat?

How does your Structure or Strategy lead to Building Resilience and Guaranteeing Recovery?


How do you think about risk & mitigation?


• ICS/OT Cyber Asset Visibility and Monitoring

• ICS/OT Cyber Baseline Risk Assessments

• Incident Response (IR) and Forensics

• ICS/OT Threat Intelligence

• ICS/OT Vendor Risk Assessment

• Managed Threat Services

ICS/OT Cyber Solutions


Strategies to defend industrial control systemsHow does your strategy stack up?


Internet of Things (IOT)

Data – Ecosystems – Attack Surface

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2019 Deloitte Development LLC. All rights reserved.

http://www.deloitte.com/about

Mitigate - Deloitte US...Social Engineering: Phishing employees on enterprise level propagates to...

Documents

Transcript of Mitigate - Deloitte US...Social Engineering: Phishing employees on enterprise level propagates to...