2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
-
Upload
isalliance -
Category
Documents
-
view
222 -
download
0
Transcript of 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
1/44
La rry ClintonPresident & CEO
Internet Security A llia ncelclinton@ isa lliance.org
7 0 3 - 9 0 7 - 7 0 2 82 0 2 - 2 3 6 - 0 0 0 1
www.isalliance.org
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
2/44
ISA Board of DirectorsTy Saga low , Esq. Chair, Executive Vice President & Chief Innovation Officer, Zurich North America
Tim M cKnight, 1 st Vice Chair, Vice President & Chief Informa tion Securi ty O ff icer , Northrop G rumman
Jeff Brow n, Secretary/Treasurer, Vice President, Infra structure and Chief Informa tion Security O ff icer, Ra ytheo n
Pr adeep Khosl a , Found i ng D ir ect or of Cy l ab , Carnegie M ellon Univ ersity
Mar c Sachs, V i ce Pr esi dent G ove r nment A f f a i r s, Verizon Lt . G en. Char l ie Croom (Ret .) , V ice President Cyber Secur ity, Solut ions Lockheed Martin
Er i c G uer r ino, Ma naging D i rector Systems and Technology , Bank of N ew York M ellon
Jo e Buo no mo , Pr esid e nt, DCR
Bruno Mahlmann, V i ce President Cyber Securi ty D i v isi on, Dell
Kevin Meehan, V ice President Informat ion Technology & Chief Informat ion Secur ity O f f icer , Boeing
Rick Ho wa r d , iD ef e nse M a na g e r, V eriSign
Just in Somaini , Chie f Informat ion Securi ty O f f i cer , Symantec
G a r y M cA lum, C hie f Se cur it y O f f i ce r, USAA
Pau l D av is, C hi ef Techno logy O f f i ce r , NJVC
A ndy Pur dy , C hi ef C ybe rsecur it y St ra t eg ist , CSC
John Havermann, II , V ice President & Di rector , Cyber Progra ms , Intel l igence & Informat ion, SAIC
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
3/44
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
4/44
The Internet
Changes Everything Concepts o f Pr iva cy
Concep ts o f Na t iona l Defense
Concep ts o f Se lf
Concep ts of Economics
Cyb er security is a n economic/ stra teg ic issue asmuch a s a n op era tiona l/ technica l one
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
5/44
Modern Power Systems
are vulnerable Histor ica l ly , ICS were comp osed of p rop r ietary
technolog ies w ith limited connection to a norg a niza tions corp ora te netwo rks or the Internet.In tod a y s wo rld, ha rd wa re a nd sof twa rep la tf orms, interconnected p ub lic a nd p riva tenetw orks, a nd remote sup p ort a re movingorg a niza tions f rom a n isola ted environment into ag lob a l, inte rconnected environment. Theseef f iciencies rep resent new cy b er security risks tha tw ere not p resent in their isola ted environment.
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
6/44
Smart Grid problems
There are mul tip le wa y s sma rt g r id tech ma yintrod uce cy b er vulnera b ilities into the sy stem. Ana tta cker could g a in a ccess to a remote o rintermed iate sma rt g r id d evice a nd cha ng e d a tava lues a nd p a ss incorr ect d a ta up strea m andca use op era tors or a utoma tic p rog ra ms to ta keincorrect actions
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
7/44
Control systems
An attacker that gains access to the communicationcha nnels could ord er meter ing d evices tod isconnect customers, ord er p reviously shed loa d tocome b a ck on l ine p rema turely , or ord er d isp ersedg enera tion sources to turn of f d uring p eriod s w henloa d is a p p roa ching g enera tion ca p a city causinginstability, outages on the bulk system.----FERCCong ressiona l Testimony M a y 2 0 1 1
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
8/44
What is our goal?
Relia b ility ?
Resilience?
Comp lia nce?
Security ?
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
9/44
Why is the Internet
Vulnerable? It w as built tha t w ay
Protoco ls rema in the sa me a nd a re b e ing a d a p ted
Use is up d rama t ica lly New d evices ma ke access g reater
W e dont pa y f o r secur ity
Incentives Incentives Incentives
It s not b a d technolog y , i ts technolog y und erattack
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
10/44
ISAlliance
Mission Statement
ISA seeks to integrate advanced technologywith business economics and public policy to
create a sustainable system of cyber security.
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
11/44
Cyber security economics
is not what we hopedThis p a p er p rop osed ty p es of a ctivit ies a ssocia ted
with a p p rop r iate ly a utoma ted a nd d ist r ib utedd a ta (threa t a na ly sis, intervention & coor d ina tionof p revent ive a ct ions) Ag g reg a t ion a nd a na lysisof such d a ta might lead to a n imp roved a b i li ty toshow how investments in cy b er hea lth ca n red uceop er a ting costs Such insig hts w ould like lystreng then consumer d ema nd f or hea lthy p rod uctsa nd services a nd red uce risks-- -DHS Cy b erSecurity Eco-Sy stem W hite Pa p er 2 0 1 1
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
12/44
The cyber security
economic equation All the economic incentives f a vor the a tta ckers
At ta cks a re cheap , easy , p rof i ta b le and cha nces
of g ett ing ca ug ht a re sma ll Defense is a g enera t ion b ehind the a ttacker, the
p er imeter to d ef end is end less, RO I is ha rd to show
Until we solve the cy b er economics eq ua t ion we
w ill not have cy b er security DHS ha s i t w rong ---ef f iciency a nd secur i ty a re
neg a t ively rela ted
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
13/44
Bus Efficiency Drives
increased INsecurity VO IP
Ex tend ed Business Sup p ly Cha ins
Ex tend ed customer integra t ion Cloud computing
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
14/44
These economics apply
in the electric sector O ver the p a st f ew d eca d es, the Electr ici ty Sector
ha s b ecome increa sing ly d ep end ent on d ig ita l
technolog y to red uce costs, increa se ef f iciency a ndma inta in rel ia b i l ity d uring the g enera tion,
tra nsmission a nd d istrib ution of electric pow erElectricity Sector organizations recognize these
ef f iciencies rep resent new cy b er security risks tha tw ere not p resent --- DO E Cyb ersecurity RiskM a na g ement Process G uid eline Sep temb er 2 0 1 1
Sma rt G rid
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
15/44
State of cyber security in
utilities (PWC 2011) Ex ec a re conf ide nt in inf o secur i ty BP
They ha ve ef f ect ive p la ns in p lace & ex ecut ing i t
HO W EVER: Event f requency is up
M ore sop hist ica ted a ttacks a re occurr ing
O p erat ing exp end i tures crucia l to ea r ly d etect ion
a re more l ikely to b e d ef erred tha n a t a ny t imesince 2 0 0 8
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
16/44
State of cyber security in
utilities (PWC 2011) 7 5 % of Ex ecs a re e ither very (3 2 % ) or somewha t
conf id ent tha t their inf o security is ef f ective
2 5 % a re not even somewha t conf id ent Awa reness of b reaches up (8 0 % knowledg eab le)
Insider a t ta cks up (p a r tner / sup p l iers up 6 7 % )
The conf ide nce ra t ing , w hi le high, is a ctua l ly d ow n
1 3 % since 20 0 6 (8 4% to 75 % )
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
17/44
State of cyber security in
utilities (PWC 2011) For the thi rd y ea r in a row secur i ty sp end ing
d ef erments a nd cutb a cks a re high
Defer red secur ity init ia t ives 4 3 % in 2 00 9 ; 48 % in20 10 ; and 4 8% in 20 11
Red uced f und ing f or secur i ty int ia t ives 3 8 % in20 09 , 43 % in 20 10 and 46 % in 20 11
4 8 % p red ict secur i ty sp end ing w i ll increa se in thenex t 1 2 months (d ow n f rom 5 4 % who pre d icted a nincrea se la st y ea r)
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
18/44
Cloud Computing is
Growing 4 4 % of ut i li ties rep ort tha t their org a niza t ions use
cloud comp uting ,
4 0 % sa y cloud comp ut ing ha s imp roved theirsecurity
6 2 % of a l l IT p rofessiona ls sa y they ha ve l i tt le orno conf id ence of the security of the cloud ---
includ ing 4 8 % who ha ve alrea d y p la ced theird a ta in the cloud
Dif f icul t to enf orce p rovid er secur ity p ol icies
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
19/44
Advanced Persistent
ThreatWhat is it? W ell f und ed
W e ll o rga nized- -- sta te supp orted
Hig hly sop hist ica ted-- -N O T ha ckers Thousa nd s of custom versions of ma lwa re
Esca la ted sop hist ica tion to resp ond to d ef enses
M a inta in thei r p resence and ca l l-home
They ta rge t vulnera b le p eop le more tha nvulnera b le sy stems
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
20/44
APT
The most revea l ing d i f f erence is tha t when y oucomb a t the A PT, y our p revention ef f orts w il leventually fail. APT successfully compromises anyta rg et it d esires ----M -trend Rep orts
1 8 % of APT a t ta cks a re a g a inst the energ y sector
5 % APT a tta cks vs. the chemica l sector
4 9 % of ut i li t ies sa y APT is d riving their securityspending
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
21/44
Utilities Response to APT
Uti li ties a re counter ing the A PT p r incip a l ly throug hvirus p ro tection (5 1 % ) a nd either intrusiond etection/ p revention solutions(2 7 % )
Conventiona l inf orma tion security d ef enses d ontw or k vs. APT. The a tta cker s successf ully eva d e a lla nti-virus netw ork intrusion a nd other b estp ra ctices, rema ining insid e the ta rg ets netw orkw hile the ta rg et b el ieves they ha ve b eenera d ica ted.---M -Trend Rep orts 2 0 1 1
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
22/44
The Good News:We know (mostly) what to do!
PW C/ G l Inf o rm Study 20 06 - -- best p r actices 10 0%
CIA 2 0 0 7 --- 9 0 % ca n b e stop p ed
V erizo n 2 0 0 8 8 7 % ca n b e sto p p e d
N SA 2 0 0 9 - -- 8 0 % ca n b e p r evented
Secre t Service / Verizon 20 1 0 - - -9 4 % ca n be
stop p ed or mit iga ted b y a d op t ing inex p ensive b estp ra ctices a nd sta nd a rd s a lrea d y ex ist ing
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
23/44
Why are We not doing it?
M a ny technica l a nd netw ork ma na g ement solutions
tha t w ould g rea tly enha nce security a lrea d y ex ist in
the ma rketp la ce b ut a re not a lwa y s used d ue to cost
and complexity.
O ba ma Ad ministrat ion Cyber Spa ce Policy ReviewMay 30 , 20 09
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
24/44
Why are We not doing it?
O veral l, cost wa s most f req uent ly ci ted a s theb ig g est ob sta cle to e nsuring the security of critica lnetworks.
M a king the b usiness ca se f or cy b er security rema insa ma jor cha lleng e, b eca use ma na g ement of ten d oesnot und ersta nd either the sca le of the threa t or thereq uirements f or a solution.
The numb er one b a rr ier is the security f olks w hoha vent b een a b le to communica te the urg ency w ellenoug h a nd they ha vent actua lly b een a b le top ersua d e the d ecision ma kers of the r ea lity o f thethrea t. ----f rom CSIS & PW C Survey s 2 0 1 0
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
25/44
Why are We not doing it?
The cha llenge in cy b er security is not tha t b estp ra ctices need to b e d evelop ed , b ut instea d l ies incommunica ting these b est p ra ctices, d emonstra ting
the va lue in imp lementing them a nd encoura g ingind ivid ua ls a nd org a nizations to a d op t them.
The Information Systems Audit and Control Association (ISACA)
q uoted in Dept. of Commerce G reen Pa p er - M a rch 2 0 1 1
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
26/44
Outdated Structures
In 9 5 % of comp a nies the CFO is not d irect ly involved ininformation security
2 / 3 o f comp a nies d ont ha ve a r isk p lan
8 3 % of comp a nies d on t ha ve a cross org a niza t iona lp r iva cy / secur i ty tea m
Less tha n ha ve a forma l r isk ma na g ement p lan, 1 / 3
of the ones w ho d o d ont consid er cyb er in the p la n
In 20 09 & 20 10 , 50 % - 66% o f US compa nies de fe rr edor red uced investment in cy b er security
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
27/44
Financial Management of
Cyber Risk (2008) O ut lines a n enterp r ise wid e p rocess to a ttack
cy b er security b roa d ly a nd economica lly
CFO stra teg ies
HR stra te g ie s
Lega l/ compl iance st ra teg ies
O p era t ions/ techno logy st ra teg ies
Communica t ions stra teg ies Risk M a na g ement/ insura nce strateg ies
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
28/44
Electric Sector Risk
Management Framework Risk ma na g ement is ca rr ied o ut a s a hol ist ic,
org a nization-w ide a ctivity tha t a d d resses r isk f romthe stra teg ic leve l to the ta ctica l leve l, ensuringtha t risk-b a sed d ecision-making is integ ra ted intoevery a sp ect of the org a nization Seniorex ecutives a re resp onsib le f or how cy b er securityrisk impacts the organizations mission and business
f unctions ea ch org a niza tion esta b lishes a riskex ecutive function tha t d evelop s a n org a niza tion-w id e stra teg y to a d d ress risks.
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
29/44
ISA Social Contract
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
30/44
Trade Assoc/Civil
Liberties White Paper
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
31/44
Path Forward--Regulation
W here reg ulat ion is b a ked into the economics ofthe ind ustry , it ca n b e usef ul in cy b er securit y
The p rob lem is not esta b l ishing thesta nd a rd s/ reg ula tions-- -its a ssuring a ctua l costrecovery throug h the multi-level sy stem ofreg ula tion (EISA 0 7 p rovid es p a rtia l cost recovery )
Cyb er security is a N ATIO N AL d ef ense issue, not aloca l ra te-p a y er issue; FERC ma y need to p rovid ethoug ht lea d ership to a d d ress economics of cy b er
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
32/44
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
33/44
Regulation, regulation
regulationM a ny utilitie s a re sub ject to not only FERC, b ut a lso
EPA (w a ter), NRC (Nuclea r Reg ula to ry Commission)DO T (p ip elines) a nd sta te commissions. Since theelectric g rid is consid ered vita l to na tiona l security ,the DO D is very interested in b ring ing the e lectricind ustry (g rid ) into its US cy b er commandmod el. W ith Ad ministra t ions b i ll the e nerg y sector
is looking a t yet one more reg ula tory ma ster a nda nother r isk mana g ement p la n tha t must b e f i ledw ith DHS a nd sub ject to review b y ind ep end enta ud itors f or comp lia nce.
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
34/44
Path forward Legislation
House & Sena te b i lls b oth g ra nt new a uthor i tyover reg ula ting p a rts of the d istrib ution sy stemsnot now sub ject to FERC-- -w / House g ra nting morea uthority to FERC---a d d ressing vulnera b il ity/ threa tinf orma tion a nd a l lowing f or cost re covery
Hil l a ct iv ity w i ll be g in this f a l l in House a nd Sena te
Sena te bi l l b eing rol led into the comp rehensive b i ll Cha nces of comp b i ll p a ssing -------- less tha n 50 %
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
35/44
Admin Leg Proposal--
DisclosureMost cyber attack disclosure requirements are
f ound ed on misconcep tions a b out wha t it iscomp a nies ha ve a vai la b le to d isclose. M ostsop histica ted successf ul cyb er a tta cks g ound etected The tools a nd services f or d etectingthem a re very ex p ensive. M ost comp a nies a reuna b le to te ll whether they ha ve b een the victim of
a successf ul cyb er a tta ck unless they ma ke asp ecia l ef f ort to investiga te, sp end a d d it iona lresources on the effort, and have the necessaryskil ls a nd tools a lrea d y on ha nd .
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
36/44
Admin Leg Proposal-
The ini tia l signs tha t need to b e p ursued in ord er tod iscover a skil led cy b er a ttack a re ha rd to d ef ine,constantly changing, and often very subtle and thusunsuita b le f or the a nnua l eva lua tion p roced ure theAd ministra t ion p rop oses to rely on. Uncovering ahig hly skilled cy b er a tta ck is currently much moreof a n a rt tha n a science. It ca n req uire intuit ion,
crea t iv ity, a nd a very high d eg ree of motiva t ion.
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
37/44
The right incentives
M a nd a tor y d isclosure p unishes comp a nies tha t a reg ood a t d etect ing int rusions a nd ma lwa re. Itcrea tes a n incentive not to know , so tha t there is noob liga tion to rep ort. It d iminishes the motiva tion ofinterna l investig a tors, w ho ma y w orr y tha t f ind ingout exa ct ly w ha t ha p p ened ma y d o their comp a nymore ha rm tha n g ood . It a d d s to the ul tima te costs
of d etection too ls a nd services, making comp a niesmore re lucta nt to sp end money on them.
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
38/44
Path Forward-Incentives
Al thoug h reg ulat ions ma y ra ise the overal lb a seline of security , they may lea d to unintend edconseq uences. For e x a mp le, as a result o f the
NERC CIP standards some utilities are now focusedon meeting reg ula tory req uirements ra ther tha na chieving comp rehensive and ef f ective cy b ersecurity . --- Roa d map to Achieve Energ y Delivery
Sy stems Cyb er Security Sep tember 2 0 1 1
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
39/44
Path Forwardneed for
collaboration Privacy a nd p ricing sensit ivi ty issues of ten crea te
d isincentives f or or leg a l b a rr iers to d isclosingvulnera b ilities; demonstra ting d irect line b enef its to
the e nerg y org a nization is d if f icult . W ithout theoccurrence of a ca ta strop hic event or a strongb usiness ca se, pub lic a nd p riva te p a rtners w illcontinue to ha ve limited time a nd resources to
invest. ----DO E Roa d ma p 2 0 1 1
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
40/44
The Right Incentives
G overnment need s to get i ts a ct tog ether
M ore (reg ulat ion) is not necessa r i ly b etter
Ind ust ry & G ovt ha ve a ligned not id ent ica l g oa ls Use regula t ion streamline a s a rewa rd
Consid er how to crea te other incentives, e.g .insura nce, lia b ility , p rocurement, p ermitting
O nly w a y to a d d ress sop hist ica ted threa ts isthrough incentives a nd colla b ora tion
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
41/44
Information Sharing
W e need to be sure informa t ion b e ing sha red ca n b ep ut into a ction
Dept of Commerce N O I a sks a b out incent ives to sha re
inf o: W rong Q uest ion
Comp a nies w/ l imi ted b ud g ets locked into rea ct ived ef ensive po sture a llow ing f or sig na ture b a sedp erimeter monitor ing a nd i f d etected ma lwa re
era d ica t ion Not help f ul f or mod ern atta ck method s.
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
42/44
Roach Motel: Bugs Get In Not Out
No wa y to stop de termined intrud ers
Stop them f rom get ting b a ck out (w / da ta) b yd isrup ting a tta ckers comma nd a nd control b a ck out of
our netw orks Id ent if y w eb si tes a nd IP a d d resses used to
communica te w / ma licious cod e
Don t stop a t ta cks we cut the p rof i ts & Increa se the
costs
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
43/44
The ISA Supply Chain
Strategy/Framework Solve the sup p ly cha in p rob lem in a wa y tha t ALSO
p rod uces other securit y b enef its, thus justif y ing theincrea sed ex p end iture
Businesses a re not suf f ering g rea tly f rom sup p ly cha ina tta cks, b ut a re suf f ering f rom other a tta cks
Key is to ma ke the entire sup p ly cha in secure, i .e.
sup p ly cha in must b e p a rt o f a comp rehensivef ramework
-
7/31/2019 2011 09 30 Larry Clinton Presentation to FERC Staff About Utility Cybersecurity
44/44
La rry ClintonPresident & CEO
Internet Security Alliance
lclinton@ isa lliance.org7 0 3 - 9 0 7 - 7 0 2 82 0 2 - 2 3 6 - 0 0 0 1
www.isalliance.org