Cybersecurity for Utilities: Compliance, Protection, and Improving

Transcription

1 CONFERENCE Cybersecurity for Utilities: Compliance, Protection, and Improving Overall Program Efficiencies October 8-9, 2013 The Offices of Troutman Sanders, LLP Washington, DC Pre-Conference Workshop A Technical glance at cybersecurity Tuesday, October 8, 2013 Post-Conference Workshop When security is not enough: A Real Analysis of a security failure and response at a large energy company Thursday, October 10, 2013 Sponsors EUCI is authorized by IACET to offer 1.0 CEUs for the conference and 0.3 CEUs for each workshop. 1

2 Post-Conference Workshop: When Security Is Not Enough: A Real Analysis of a Security Failure and Response at a Large Energy Company Overview This workshop will highlight how computer forensics is used to protect energy companies. It will highlight how one particular energy company, as prepared as they were, was not prepared for a very simple intrusion that gave the attacker access to their whole domain and tens of thousands of users. This session will walk through a successful detection, identification, extraction, and remediation of this client s unfortunate incident, highlighting the point of view of the energy company throughout the incident and what would have happened had they not taken such diligence in the preparation for the day their security failed them. Learning Outcomes/Agenda: Thursday, October 10, :30-9:00 a.m. registration & Continental Breakfast 9:00 a.m. - 12:00 p.m. Workshop Timing Identify proper preparation and prevent techniques to avoid attacks Recognize when there is a problem and how to properly handle it Differentiate how and when an attack requires computer forensics investigation Identify potential outcomes of attacks and how to achieve them 8

3 Agenda Tuesday, October 8, :30-1:00 p.m. Registration & Welcome 1:00-1:45 p.m. Keynote: Critical Infrastructure Protection - Cyber and Physical Nexus - Caitlin Durkovich, Assistant Secretary for Infrastructure Protection, Department of Homeland Security 1:45-3:00 p.m. panel Discussion: Implementing CIP Version 5 and Possible Future CIP Changes 3:00-3:30 p.m. networking Break The first version of the NERC CIP standards was approved by FERC in The industry is now tasked with complying with Version 5 of the CIP standards. This panel will examine the challenges facing the industry in implementing Version 5, as well as any outstanding issues that may require additional modifications to the CIP standards. - Moderator: Jeff Jakubiak, Partner, Troutman Sanders, LLP - David Dekker, Cybersecurity Standards Manager, PEPCO - Robert Schuler, Cybersecurity Principal, SAIC - Jerome Farquharson, Global Practice Manager, Burns & McDonnell - Sunil Kumar, Director of Consulting Services, AlertEnterprise 3:30-5:00 p.m. panel Discussion: Best Practices for Smart Grid Cybersecurity Smart grid systems that are a part of the bulk-power system are subject to the NERC CIP standards, but smart grid systems that are on the distribution system are not subject to the mandatory requirements. In 2010, NIST issued a framework and roadmap on smart grid interoperability standards, and released an update in Recognizing that there are no mandates on much of the smart grid systems, this panel will examine the existing and proposed cybersecurity frameworks, the best practices that are being implemented by utilities, and what additional measures could be implemented to better ensure smart grid cybersecurity. - Moderator: Amie Colby, Managing Partner, Troutman Sanders, LLP - Jon Stitzel, Security Analyst III, Ameren - Sharla Artz, Director- Government Affairs, Schweitzer Engineering Laboratories 5:00-6:00 p.m. networking Reception, Hosted by Wednesday, October 9, :30-9:00 a.m. Continental Breakfast 9:00-9:45 a.m. addressing Liability Issues for Electric Utilities Since the implementation of NERC s CIP reliability standards, Congress has considered enactment of additional cybersecurity requirements, either to apply specifically to the electric utility industry or to all industry sectors. Included in a number of these bills is liability protection language. The President s Executive Order on cybersecurity also included directives to identify incentives to promote participation in the voluntary Cybersecurity Framework, including liability protections. Bonnie Suchman will examine what liability protections should be in place for electric utilities to afford such utilities the necessary protections, as well as examine how proposed liability language could actually undermine existing protections. - Bonnie Suchman, Of Counsel, Troutman Sanders, LLP 3

4 Agenda Wednesday, October 9, 2013 (CONTINUED) 9:45-10:45 a.m. Cost Management of Cybersecurity 10:45-11:15 a.m. networking Break Determining what is an appropriate amount of funding for cybersecurity is one of the top issues facing utilities today. This session will explore some of the challenges in determining just what is enough spending on cybersecurity, hear concerns from utilities and regulators, and the need for some way to measure the effectiveness of utility spending on cybersecurity. - David Batz, Director, Cyber & Infrastructure Security, EEI (Invited) - Chris Villarreal, Regulatory Analyst, California Public Utilities Commission 11:15 a.m. - 12:00 p.m. emerging Supply Chain Risk Management: Standards & Best Practices for Utilities Software and hardware supply chain are a serious concern in the industrial control systems and smart grid space. Utilities count on their ICT product and service suppliers to build security in to ensure appropriate protection of critical infrastructure. The questions of the origins of subcomponents, software development practices, and trustworthiness of delivery channels are all relevant in this context. Several standards and best practices efforts are nearing completion and will be published in the next 6-12 months. Those include standards that address general cybersecurity context, standards that are specific to ICSs, national efforts, and international efforts. The presentation will discuss the problem space and summarize emerging standards and best practices that can be used to address the problem. - Nadya Bartol, Senior Cybersecurity Strategist, Utilities Telecom Council 12:00-1:00 p.m. group Luncheon 1:00-1:45 p.m. ground Truth Competency Assessment for Smart Grid Cybersecurity The constant change in smart grid technology and the cybersecurity threat landscape demand an adaptive workforce which aligns special skills across a broad range of job roles. Energy companies have lacked clear guides and tools to help them understand whether their staff and consultants possess the right competencies to address the latest developments, or ground truth, in smart grid vulnerability and best practices for deterring and responding to the growing threat. Guided by a model of Ground Truth Expertise Development of the cybersecurity workforce, the Department of Energy recently commissioned a multi-year study to produce and validate predictive models of on-the-job performance by smart grid cybersecurity professionals. In this presentation, we will review the Smart Grid Cybersecurity Job Performance Model (SGC JPM) that resulted from the first phase of this project, focusing on the critical metrics expected to differentiate performance at varying levels of competency: novice, proficient, competent, expert, and master. We will discuss the implications of this model for the assessment of human capital vulnerabilities which limit the preparedness or resilience of smart grid installations to cyber threats and attacks. Finally, we will review the implications of the SGC JPM competency model and assessment tools for research and development of cybersecurity and control system engineering curricula and performance support technology. - Dr. David Tobey, Chief Executive Officer, VivoWorks, Inc. 1:45-2:30 p.m. beyond CIP Standards: Managing Effective Cybersecurity Recently, the Federal Energy Regulatory Commission (FERC) approved Version 5 of the NERC CIP cybersecurity standards for the bulk electric system. Although the NERC CIP standards have greatly improved many aspects of the power industry s cybersecurity posture, especially in the area of control systems security, they should only be the foundation of a larger effort. Effective cybersecurity must be more than a compliance checklist. This presentation will outline a high level cybersecurity model and provide guidance and ideas to move beyond the Culture of Compliance mindset into a Culture of Security. - Jon Stitzel, Security Analyst III, Ameren 2:30-3:00 p.m. networking Break 4

5 Agenda Wednesday, October 9, 2013 (CONTINUED) 3:00-3:45 p.m. emerging Cybersecurity Policy: Security Trends at the Legislative and Executive Branches This session will examine new and emerging policy debates in the legislative and executive branches to provide companies insight into potential cybersecurity requirements and obligations in the years ahead. Congressional debate has focused on organizational structure, new standards, and technical requirements; the executive branch is exploring ways to evolve the standard of care, changes in regulations, and other non-regulatory activities that will improve cybersecurity awareness, mitigation, and response. - Jacob Olcott, Principal, Good Harbor Security Risk Management, LLC 3:45-4:30 p.m. T the Executive Order s Cybersecurity Framework and Utilities Executive Order 13636, Improving Critical Infrastructure Cybersecurity, has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. In this session, NIST will discuss the development and content of the Preliminary Cybersecurity Framework, which will be published by October 10, per the Executive Order. Additionally, UTC will discuss the Preliminary Cybersecurity Framework and how it relates to several common challenges and solution sets arising from a recent survey to a group of utility executives and practitioners spanning control systems engineering, cybersecurity, information technology, telecommunications, and compliance - Jon Boyens, NIST - Nadya Bartol, Senior Cybersecurity Strategist, Utilities Telecom Council 4:30-5:00 p.m F formal Q&A Session 5:00 p.m. Conference Adjourns 5

6 Pre-Conference Workshop: A Technical Glance at Cybersecurity Overview This workshop will explore the unique, exciting technical security content on smart grid defense, key attributes for secure and compliant controls, and security for distributed control system (DCS) cloud, and virtual technologies being used by some utilities. The threat landscape, recent real-world security impacts to our infrastructure, and how organizations can implement meaningful security measures to control systems while also, keeping the systems available for their important functions and delivering on compliance commitments to management and regulators will be discussed. Following the technical discussion, impacts of the Presidential Executive Order on utilities and the latest FERC/NERC developments to CIP, including what the industry knew would happen, how it really turned out, and some new predictions for the utilityrelated cybersecurity future will be reviewed. The instructors will draw upon their extensive industry knowledge and experience in secure control system and smart grid deployment in the increasingly complex environment of evolving threats. Through participation in this workshop, attendees will be able to identify the most relevant security requirements and more effectively respond to emerging dangers. Participants will also have an opportunity to discuss their own experiences with security threats or CIP compliance and interact with individuals from utilities, vendors, and integrators about how best to approach security and compliance, while maintaining availability - comprehensively and cost effectively. Learning Outcomes/Agenda: Tuesday, October 8, :30-9:00 a.m. registration & Continental Breakfast 9:00 a.m. - 12:00 p.m. Workshop Timing Identify the threat landscape for the energy industry and where cybersecurity is most effective Evaluate the impact of smart grid technologies on cybersecurity Review key technical aspects to be successful in applying cyber security to control systems while maintaining availability Assess the latest NERC CIP updates and their impacts on compliance Identify industry implications of the Presidential Executive Order Describe where virtual infrastructures are used in control system environments, what attackers are seeing, and how to defend them 6

7 Workshop INSTRUCTORs Gib Sorebo / Assistant Vice President and Chief Cyber Security Technologist / SAIC Mr. Sorebo is a Chief Cyber Security Technologist and Vice President for SAIC where he assists government and private sector organizations in complying with legal and regulatory requirements and advises customers on ways to reduce cybersecurity risks. He has been working in the information technology industry for more than twenty years in both the public and private sector. In addition to federal and state governments, Mr. Sorebo has done security consulting in the financial services and electricity sectors. He has managed and participated in system security certification and accreditation, penetration testing, and vulnerability assessments. He is recognized for his expertise in information security compliance where he has helped government and commercial customers comply with various legal obligations. Additionally, as a former Windows system administrator and network penetration tester, Mr. Sorebo has extensive technical abilities and is familiar with a wide variety of network security tools and exploit methods. He is also a frequent speaker at national security and utility conferences, such as the RSA Security Conference, CSI Annual Conference, Metering America, Autovation, and the FIRST Annual Conference, where he has given talks on information security liability, Sarbanes-Oxley, E-Discovery, and breach notification. He was instrumental in the development of and provided significant leadership and guidance to SAIC s Smart Grid Security practice where he established the SAIC Smart Grid Security Solutions Center for product security testing and solution development and contributed to a variety of other smart grid security research efforts. He is also the co-author of a book on smart grid security. Robert Schuler / Cybersecurity Principal / SAIC Robert Schuler, CISSP, is a cybersecurity principal of SAIC has spent 15 years in information security risk management and systems engineering across industries. As an expert in cybersecurity and North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), he currently manages multi-region NERC CIP compliance efforts at a major independent power producer. He facilitates agreements among business units, helps achieve secure architectures that are business enablers, and tackles a range of complex technical issues. Robert is also addressing the security aspects of NERC CIP, smart grid, and other cyber security implementation efforts. 7

8 Post-Conference Workshop: When Security Is Not Enough: A Real Analysis of a Security Failure and Response at a Large Energy Company Overview This workshop will highlight how computer forensics is used to protect energy companies. It will highlight how one particular energy company, as prepared as they were, was not prepared for a very simple intrusion that gave the attacker access to their whole domain and tens of thousands of users. This session will walk through a successful detection, identification, extraction, and remediation of this client s unfortunate incident, highlighting the point of view of the energy company throughout the incident and what would have happened had they not taken such diligence in the preparation for the day their security failed them. Learning Outcomes/Agenda: Thursday, October 10, :30-9:00 a.m. registration & Continental Breakfast 9:00 a.m. - 12:00 p.m. Workshop Timing Identify proper preparation and prevent techniques to avoid attacks Recognize when there is a problem and how to properly handle it Differentiate how and when an attack requires computer forensics investigation Identify potential outcomes of attacks and how to achieve them 8

9 Workshop INSTRUCTOR Keith J. Jones / Senior Special Projects Manager and Consultant / Kyrus Tech, Inc Keith J. Jones provides computer forensics, electronic evidence discovery, litigation support, expert witness services and training to commercial and government clients. Mr. Jones has a strong hardware and software development background. He is an industry-recognized expert in computer security with two decades of experience in computer forensics and incident response. His expertise also includes information security consulting, application security, software analysis/design and image/video/audio analysis. Currently, Mr. Jones is the Senior Special Projects Manager and Consultant for Kyrus Tech, Inc. Mr. Jones s main role is managing commercial clients (including electric utilities) in the litigation space which includes computer forensics, cybercrime, and expert witness services. In the past, Mr. Jones was the Director of Computer Forensics, Incident Response and Litigation Support and a Founding Member of MANDIANT where he managed and directed technical teams that conducted computer intrusion investigations, forensic examinations, litigation support and e-discovery efforts. Mr. Jones was the Director of Incident Response and Computer Forensics at Foundstone, where he led the service line s engagements and was a developer and lead instructor of several technical education courses. Earlier in his distinguished career, Mr. Jones served as a Senior Security Administrator at a biotechnology company, responsible for the corporation s entire information security model, developing a security and network infrastructure from the ground up. Prior to that, he managed a team of developers at SYTEX, Inc, on several software development projected projects, where he was in charge of building specialized tools for log analysis, forensic analysis, attack and penetration, defensive measures and vulnerability assessments. Mr. Jones holds two Bachelor of Science degrees. One in Electrical Engineering and the other in Computer Engineering. Keith has also earned a Master of Science degree in Electrical Engineering from Michigan State University. Mr. Jones maintains the Certified Information Systems Security Professional (CISSP) certification, is a Certified Computer Examiner (CCE), serves on the Board of Directors of The Consortium of Digital Forensic Specialists (CDFS) as President, and is an associate member of the American Bar Association (ABA). 9

10 Instructional Methods This program will use PowerPoint Presentations, group and panel discussions, as well as active participation. Requirements for Successful Completion of Program Participants must sign in/out each day and be in attendance for the entirety of the conference to be eligible for continuing education credit. iacet Credits EVENT LOCATION EUCI has been approved as an Authorized Provider by the International Association for Continuing Education and Training (IACET), 1760 Old Meadow Road, Suite 500, McLean, VA In obtaining this approval, EUCI has demonstrated that it complies with the ANSI/IACET Standards, which are widely recognized as standards of good practice internationally. As a result of its Authorized Provider membership status, EUCI is authorized to offer IACET CEUs for its programs that qualify under the ANSI/IACET Standards. EUCI is authorized by IACET to offer 1.0 CEUs for the conference and 0.3 CEUs for each workshop. The conference will take place at the offices of Troutman Sanders, LLP, 401 9th St NW #1000, Washington, DC PROCeEDINGS A copy of the conference proceedings will be distributed to attendees at the event. If you are unable to attend or would like to purchase additional copies, flash drives are available two weeks after the conference is complete. The cost per flash drive is US $395 (add US $50 for international shipments). Flash drives include visual presentations only. Upon receipt of order and payment, the flash drive will be shipped to you via regular USPS mail. NOTE: All presentation flash drive sales are final and are nonrefundable. 10

11 EVENT LOCATION The conference will take place at the offices of Troutman Sanders, LLP, 401 9th St NW #1000, Washington, DC please register the following Cybersecurity for Utilities: Compliance, Protection, and Improving Overall Program Efficiencies and both Pre-conference and POST-CONFERENCE WORKSHOPs: October 8-10, 2013 : US $2195 Early bird on or before SEPTEMBER 27, 2013 : US $1995 Cybersecurity for Utilities: Compliance, Protection, and Improving Overall Program Efficiencies and One workshop (Select below): US $1795, Early bird on or before SEPTEMBER 27, 2013 : US $1595 Pre-CONFERENCE WORKSHOP: October 8, 2013 POST-CONFERENCE WORKSHOP: October 10, 2013 Cybersecurity for Utilities: Compliance, Protection, and Improving Overall Program Efficiencies conference only October 8-9, 2013: US $1395 Early bird on or before SEPTEMBER 27, 2013 : US $1195 Workshops only: US $595 each, Early Bird on or Before September 27, 2013 US $495 Pre-CONFERENCE WORKSHOP: October 8, 2013 POST-CONFERENCE WORKSHOP: October 10, 2013 I'M SORRY I CANNOT ATTEND, BUT PLEASE SEND ME THE CONFERENCE PROCEEDINGS FOR US $395. (PLEASE ADD $50 FOR INTERNATIONAL SHIPPING.) EUCI s Energize Weekly newsletter compiles and reports on the latest news and trends in the energy industry. Newsletter recipients also receive a different, complimentary conference presentation every week on a relevant industry topic. The presentations are selected from a massive library of more than 1,000 current presentations that EUCI has gathered during its 26 years organizing conferences. Sign me up for Energize Weekly. How did you hear about this event? (direct , colleague, speaker(s), etc.) Print Name Job Title Company What name do you prefer on your name badge? Address City State/Province Zip/Postal Code Country Telephone List any dietary or accessibility needs here CREDIT CARD Name on Card Account Number Billing Address Billing City Billing State Billing Zip Code/Postal Code Exp. Date Security Code (last 3 digits on the back of Visa and MC or 4 digits on front of AmEx) OR Enclosed is a check for $ to cover registrations. All cancellations received on or before September 13, 2013, will be subject to a US $195 processing fee. Written cancellations received after this date will create a credit of the tuition (less processing fee) good toward any other EUCI event or publication. This credit will be good for six months. In case of event cancellation, EUCI s liability is limited to refund of the event registration fee only. For more information regarding administrative policies, such as complaints and refunds, please contact our offices at at (201) EUCI reserves the right to alter this program without prior notice. 11