Cedric Leighton, Colonel, USAF (Ret) Founder & President, Cedric Leighton Associates

Transcription

1 Cedric Leighton, Colonel, USAF (Ret) Founder & President, Cedric Leighton Associates

2 What is Cyber Security? The First Cyber Attack The Threat Landscape The Energy Industry as a Target The Legal & Regulatory Landscape Possible Policy Solutions The Paucity of (Real) Technical Solutions Securing the Energy Infrastructure

3 The effort to secure the Internet from entities that seek to harm it or its users The implementation of standards to protect the Internet and its users A program or programs designed to mitigate the threat posed by hackers against a specific IT network or specific entity using the Internet

4 Not a rigid, dogmatic set of rules Not a panacea Not something the Government can do by itself Not something Private Industry can do by itself But.

5 Requires an All-In approach Government & Private Sector Partnerships based on Trust With Flexible, Evolving Rules, and A workable Cyber Security Strategy

6 When was the First Cyber Attack?

7

8

9

10 Explosion was 1/7 the size of the Atomic Bombs used in Hiroshima & Nagasaki Could be Seen from Space Utterly Destroyed Large Section of Trans-Siberian Oil Pipeline Soviet Union lost $8 Billion in Annual Oil Revenue

11 It began with a Defector codenamed Farewell KGB Colonel Vladimir Vetrov Led KGB section that stole Western Technology Hated Soviet life Gave French Intelligence 4,000 page document detailing Soviet Industrial Espionage in the West French President Mitterrand shared with President Reagan

12 CIA discovered the Soviets wanted Western Computer Technology to run Trans-Siberian Pipeline Automate Pipeline Control Mechanisms Compressors, Valves, Storage Facilities Asked US for Software; Turned Down Bought from Canada, but with Modifications

13 Canadian software to run Pumps, Valves & Turbines Programmed to Fail Reset Pump Speeds & Valve Settings to Raise Pressure far beyond Tolerances Pressure too great for Welds & Joints Result: Monumental Explosion

14

15 In 1982: The Internet hardly existed; negligible Traffic Volume In 1990: 1000 Gigabytes of data travelled via the Internet per month Today s Traffic Volume: 27 Billion Gigabytes per month 5 Billion Different Devices will soon be connected to the Internet And then there s Malware

16 Hacktivists Cyber Criminals Other Non-State Actors State Actors

17

18 Anonymous; Lulzsec Politically Motivated; Anarchic Philosophy Stratfor Hack Ohio Rape Case Visa, MasterCard, PayPal Primary Method: DDoS (Distributed Denial of Service) Attacks Overwhelms Targeted Servers with more Traffic than they can Handle

19

20 Motivation: Financial Russian & East European Criminal Gangs Dominate Credit Card Number Theft Value of a Credit Card Number: $2.50 Identity Theft Cyber Ransoms Cyber Underworld = Criminal Underworld

21

22 Targeted 30 US Banks Using 100 Botnets Botnets: Computers that are taken over by a third party; used to attack other computers Some people participate willingly; most do not All you need to do is download Malware to become a Botnet Goal: Attack US Banks before they implement Two-Factor Authentication Stole at least $5 Million (and that was before Blitzkrieg really started)

23

24

25 Part of the People s Liberation Army s Intelligence Directorate Targets: US and North America; other English-speaking Countries Mission: Get as much Intellectual Property as possible Map Target Networks Find Vulnerabilities in Critical Infrastructure

26 Stole Intellectual Property from Nortel Stayed on Nortel Networks for over 10 years Not noticed at first When discovered, lethargic response Nortel lost out to Chinese competitors Nortel is Bankrupt Stole Blueprints for the F-35 Joint Strike Fighter from Northrop Grumman Stole Plans for Wind Turbines Part of a Broader Chinese Strategy

27 In the US: $500 Billion Annually Globally: $1 Trillion Annually

28 Target: Saudi Aramco, world s largest Oil Company Secondary Target: RasGas Qatar s 2 nd largest Gas Company Perpetrator: Iran Cyber Weapon: Shamoon Malware Result: 30,000 PC Workstations made useless

29 Hackers break into SCADA Systems Key Elements of the Nation s Critical Infrastructure are Sabotaged Large Sections of the Country are without Power Social Chaos & Death result

30 No Comprehensive Cyber Security Legislation Current Legislation not Moving Forward Last Year s Measures Failed Executive Order Designed to Protect Government Cyber Infrastructure NERC and NRC Standards & Rules No Comprehensive National Cyber Security Strategy

31 Develop a Comprehensive National Cyber Strategy Develop Evolving Minimum Cyber Security Standards & Regulations Pass Comprehensive Cyber Security Legislation to forge Partnership between Government & Private Sector Companies need Liability Protections Cyber Threat Information must be shared in Real- Time Private Partnerships with the Intelligence & Law Enforcement Communities

32 Many SCADA Systems are Old Security is an Afterthought (at best) Firewalls First line of defense, but can be breached Two-Factor Authentication Ok, but may not be practical for Utilities Encryption Essential, but can it be cracked? The Key: Understanding the Threat & Developing Responses to it

33 Cannot be done in Isolation Must be a Partnership Federal & State Regulatory Elements Law Enforcement Intelligence Cyber Security Firms Must Incorporate Latest Threat Data in Real- Time We re all on the Front Line now

34 The Cyber Threat is Real & Growing We must have a Proactive Partnership to Counter it Protecting Infrastructure, Businesses & Consumers is the Goal Businesses and Cooperatives that set the highest Cyber Security Standards will be the Gold Standard

35 Now it s Your Turn