Miles Keogh, NARUC Patrick Miller, Principal, NESCO Alan Rivaldo, Public Utility Commission of Texas Security

Transcription

1 Miles Keogh, NARUC Patrick Miller, Principal, NESCO Alan Rivaldo, Public Utility Commission of Texas Rick Lichtenfels, NCCIC US Department of Homeland Security Indianapolis IN, December

2 The Plan For Today What s the Cyber in Cyber security? What are we trying to protect? What threats do we face? What are the challenges of instituting cyber security? Where do the vulnerabilities within the system exist? What can Commissions do about it? What are the key questions to ask utilities?

3 What is Energy Assurance Response: It s is about responding to any hazard that disrupts energy supply and assuring a rapid return to normal conditions. Prevent and Protect: Its about mitigating the risk in the long run by making investments that provide for a more secure, reliable, and resilient energy infrastructure. This is a coordinated effort involving the private energy sector, working with local, State & federal governments. Cb Cyber security is an integral element of Energy Assurance.

4 Risk Assessment Risk is a function of [Consequence x Threat x Vulnerability] Loss of revenue Modification of User Errors Economic losses data in transit Equipment Failure Public safety Denial of service Inadequate Physical damage attacks physical security Cost of recovery & Theft of Natural hazards remediation information Flood Loss of confidence Spoofing Storms Decline in Stock Sniffing Earthquakes value Viruses/worms Pandemics Interdependencies Human Cascading engineering interdependencies

5 Is It Worth It? An imperfect formula for prudence: P V A Where P is the cost to protect something V is the value of the system (or data), and A is the cost of an attack, or risk taken to attack V may be variable over time, variable based on intent, or hard to measure. Example: Lucas Oil Stadium, January 2012, vs February 2012

6 Information Technology 101 Connectivity: how the systems talk to each other Hub Switch Managed Switch Router Firewall Next Generation Firewall Workstation/Server Devic ce Intellig gence dumb smart Smarter makes new vulnerabilities that need to be managed. It s not just that the devices can generate data, it s their ability to communicate data, convert it to intelligence, and take action based on intelligence.

7 Cyber Security Threats are Increasing The significant increase in new threats over the past year is indicative of the work of specialized malicious code authors and the existence of organizations that employ programmers dedicated to the production of these threats. 7

8 Cb Cyber Security Threats April / May 2007: Estonian economy largely shut down by cyberattacks cberattacksoriginating in Russia over a statue of Stalin; 2009 cyber attacks of Georgia prompted NATO comments. In 2001, hackers penetrated the California Independent System Operator; attacks were routed through California, Oklahoma, and China. Ohio Davis Besse nuclear power plant safety monitoring system was offline for 5 hours due to Slammer worm in January Aaron Caffrey, 19, brought down the Port of Houston in October, This is thought to be the first well documented attack on critical U.S. infrastructure. In March 2005, security consultants within the electric industry reported that hackers were targeting the U.S. US electric power grid and had gained access to U.S. utilities electronic control systems. In a few cases, these intrusions had caused an impact. In April 2009, the Wall Street Journal stated Chinese and other spies hacked into the U.S. electric grid and left behind computer programs that could allow them to disrupt service.

9 Technology Landscape Emergent intelligence A new digital world order Widespread connectivity Size matters & doesn t Hyper embeddedness Lingering legacy

10 Regulatory Landscape Smart Grid interoperability Compliance vs. Security White House proposals Data breach disclosure Vendor, utility responsibility Intelligent islanding

11 Cybersecurity Landscape Research, espionage, organized crime, cyber/information warfare Nation state quality defense is the new bar Isolation is extremely difficult Bolt ons are complex Cyber kinetic impacts

12 Threat Landscape

13 Threat Landscape

14 Vulnerability Landscape

15 Vulnerability Landscape

16 Vulnerability Landscape 46 new SCADA vulnerabilities issued a two week span

17 Aurora and STUXNET Aurora: an experiment to hack control systems and destroy a generator staged by the DOE and DHS STUXNET: a worm story with more intrigue and plot twists than a Tom Clancy novel The big question is whether/how to prioritize these concerns

18 Illinois Water System Incident A Nov. 18, 2001 Washington Post story quoted a cybersecurity analyst who asserted td that t Russian hackers had entered an Illinois water facility control system via the internet, and by intentionally ti mis operating it were able to damage and brick the pump. It appears this story is not accurate, and that the damage was caused by a contractor to the company while he or she was in Russia. nevertheless, e e ess, the water pump p control system was remotely accessed from Russia and operated in a way that damaged the pump.

19 Motivation for Cyber Intrusions Frequ uency Low High Gain System Control ability to remotely modify and operate the system as a vehicle for attack. Extortion criminal motivation to make money. Attacks Terrorism and Nation State attacks objective to disrupt, destroy, frighten. Disgruntled current or former employees. Theft organized crime, US, International and individuals. Objective to make money and often do not want the theft to be discovered stealth. Intrusion unauthorized access to information and the potential to uses information to do harm.

20 Consequence of Cyber Intrusions Power outage only no control systems affected or infected. The response may be similar to any of the All hazards type of events. The attack causes physical damage to equipment. This would be like an All Hazards event, but depending on the scope of the damage may take longer to repair and if repaired could it be damaged again if the perpetrators are not caught? Access to information, such as system maps or customer information i that facilitates other types of attacks, physical or cyber. Control systems affected within or without a power outage. This may require a different response than those commonly used in an All Hazards plans. It may take longer to find and remove the problems.

21 We know security: what changed? Ubiquity of, and dependency on, networks A network is cheaper, faster, more effective, and ultimately t l more secure Ease of sophisticated attack. Reliance on commercial software. Evolution toward distributed networks. Interdependencies between sectors.

22 Cyber Security: Three Flavors Business Systems Control Systems Smart Grid 22 22

23 Business Process System Security This is what we usually think of: antiviruses, ii passwords, firewalls, etc. Protecting four areas: 1. Confidentiality preventing unauthorized access to information 2. Integrity preventing the unauthorized modification or theft of information 3. Availability preventing the denial of service and ensuring authorized access to information 4.Non Repudiation preventing the denial of an action that took place or the claim of an action that did not take place

24 What is a control system? Sensor Control Programmable Valve Logic Controllers L1 STOP START M M M M O.L. L2 M S R Basic Motor Control Ladder Logic Human Machine Interface Control Center I/O Meters Sensors Field Devices... FIELD DEVICES Remote Comms Master PLC IED RTU Controller... Protocols Wired Wireless... SCADA server HMI EMS DCS... CONTROL CENTER

25 IT Security vs. Control System Security TOPIC Anti-virus/Mobile Code Support Technology Lifetime Outsourcing Application of Patches Change Management Time Critical Content INFORMATION TECHNOLOGY Common/widely used CONTROL SYSTEMS Uncommon/impossible to deploy 3-5 years Up to 20 years Common/widely used Rarely used Regular/scheduled Regular/scheduled Generally delays accepted Slow (vendor specific) Rare Critical due to safety Availability Generally delays accepted 24 x 7 x 365 x forever Security Awareness Good in both private and public sector Poor except for physical Security Testing/Audit Shdld Scheduled and mandated dtd Occasional 2002 PA Knowledge testing tilimited for outages Physical Security Secure Remote and unmanned

26 Smart Grid Introduces Complications

27 And that s not even considering the meter or appliances.

28 Insert slide on smart grid meter stuff

29 Types of Threats Wholesale Threats & System Compromise Retail threats and confidence crippling Strategies: Bypass Controls Resource Exhaustion Man in the Middle Middl or Network Barge In Indiscretions by personnel Back Office Compromise Authorization Violation and Credential Compromise Denial of Service Theft of service: cloning, device swapping, communications gear compromise Threats to privacy and confidentiality

30 What are the sources of threats? 1. Inadvertent Errors 2. Power System Equipment Malfunctions 3. Communications Equipment Failure 4. Deliberate Sabatoge

31 Nothing New Under The Sun Mature security practices; highly refined Defense in Depth Principle of Least Privilege Segregation of Duties Need to Know Confidentiality, Integrity, Availability No Silver Bullet, 100%, Total Security Strong protection has never been easy, inexpensive or quick to implement There may be a tradeoff between functionality and security

32 Strategies for Defense In Depth Governance, policy Authentication Authorization Admission control Encryption Integrity checking Auditing, detection

33 Proven Security Solutions Physical Protection Network Controls: Admission, Segmentation Strong ID, Authentication and Authorization Aware Person System (Training and Awareness) Intrusion Detection/Prevention i Integrity Assurance Application Whitelisting ti Response and Recovery Records and Auditing

34 You Don t Need a Perfect Defense If defensive measures can be beaten, does the system ensure the results of the attack are : Unprofitable Limited in its ramifications Hard enough to make the juice not worth the squeeze Difficult to replicate Quickly and easily recoverable Traceable and easy to detect; and Otherwise unappealing

35 Cyber Security Requirements & Resources For the Bulk Power System: The North American Electric Reliability Corporation Standards CIP 002 through CIP 009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection standards) 20 p p p For the Smart Grid: The National Institute of Standards and Technology (NIST) is developing set of smart grid interoperability standards d and specifications for inclusion i in the Smart Grid Interoperability Standards Framework, Release 1.0. These include three volumes on cyber security. IR 7628 p

36 Smart Grid Interoperability Standards NIST Interagency Report 7628 (NISTIR 7628) Collaborative effort between federal agencies, regulators, private sector and academics To be used as a guideline to evaluate overall Smart Grid cyber risks during implementation and maintenance It is not mandatory

37 NESCO/NESCOR National Electric Sector Cyber Security Organization (NESCO) Managed/operated by EnergySec with funding assistance from DOE First public privateprivate partnership in the electric sector Brings together utilities, federal agencies, regulators, researchers, and academics. Purpose is to establish a National Electric Sector Cyber Security Organization that has the knowledge, capabilities, and experience to protect the electric grid and enhance integration of smart grid technologiesthatareadequately that are adequately protected againstcyberattacks. attacks. National Electric Sector Cyber Security Organization Resource (NESCOR) EnergySec was tasked with forming the NESCO organization and EPRI was selected to serve as a research and analysis resource to the NESCO program.

38 NERC CIP Gaps What s missing? Distribution systems Some Generation systems Some Bulk Transmission Serial control systems State Commissions may need to ask questions and require performance for greater coverage

39 Smart tgidi Grid Investment tgrant tprogram Requires a description of how cyber security concerns will be addressed d with respect to the use of best available equipment and the application of procedures and practices involving system design, testing, deployment, operations and decommissioning, including at a minimum: ii i. A description of the cyber security risks at each stage of the system deployment lifecycle, ii. Cyber security criteria i used for vendor and device selection, iii. Cyber security control strategies, iv. Descriptions of residual cyber security risks, v. Relevant cyber security standards d and best practices, and vi. Descriptions of how the project will support/adopt/implement emerging smart grid security standards. From: Notice of Intent to Issue a Funding Opportunity Announcement For the Smart Grid Investment Grant Program, April 16, 2009

40 Increased attacks to business processes NERC CIPC compliance is driving new expenditures by utilities The deployment of smart grid. These are increasingly drivers for cost recovery consideration and other contexts in cases that are coming your way very soon. Is that reflected in what you re seeing / hearing?

41 PUCs don t need to become cyber experts or enforcers, but if you ask a utility a question they will return with an answer. Security theater is a waste of money Information Management and risk perception remains an unsolved issue Fines and legal fees are not assets People are needed for security, not just technology 41

42 Pennsylvania Missouri Michigan Connecticut

43 1. We can t protect it so don t share it. 2. We can t protect it onsite but can see it at your site 3. We can protect it in a special case 4. We can protect it within a standard case with a secure hearing 5. We can protect it as a matter of course Some of these approaches require people with specialized skills, clearances, or professional relationships 43

44 Information is sometimes the asset Establish a critical ii infrastructure information i handling policy. Know your state s s FOIA rules & Implement FOIA exemption rules that properly address utility sectors and associated processes Automatic protection of CI information Multiple methods or categories of protection CI data storage, management and dissemination Communicate non disclosure procedures Implement stronger protections for security and cybersecurity info than for commercially sensitive info 44

45 A security clearance may help here Perhaps views information offsite Handles sensitive information, and disseminates information to those who can act Represent Commission in cooperative efforts with State EMA and/or the Governor s Office Implement DHS State Protected CII Officer Program and FERC point of contact on CEII requests Compliment to the Energy Emergency Assurance Coordinators (EEAC) Program 45

46 Are the costs prudent? Will the resulting system be more secure and the power grid less vulnerable to outages and allow for faster recovery when outages occur? To what degree have cyber security requirements been met? (Are PUC staff knowledgeable about cyber security and know the questions that need to be asked?)

47 Does your company have a cyber security strategy? t Has your organization conducted a cyber risk or vulnerability assessment of its information systems, control systems, and other networked systems? Has your company conducted a cyber security evaluation of key assets in concert with the National Cyber Security Division i i of the Department t of Homeland Security? Does your company have a cyber security plan? Is there a cyber security component of your company s physical security plan? Has your cyber security plan been reviewed in the last year and updated as needed? Is your cyber security plan tested regularly? l

48 Describe the company s compliance status with NERC CIP 002 through CIP 009. What organizations or efforts has your company interacted with or become involved with to improve its cybersecurity posture (such as NESCO, NESCOR, Fusion centers, Infragard, US CERT, SANS, the Cross Sector Cyber Security Working Group of the National Sector Partnership, etc.)? Can your company identify any other relevant cyber security standards and best practices that apply to its systems? Can the company certify its compliance, or identify that it has a timetable for compliance? Compliance as a floor, not a ceiling: are there beyondcompliance activities?

49 What cyber security criteria i are used for vendor and device selection? Have vendors documented & independently verified their security controls? Does your company use the MS ISAC SCADA Procurement Language? Available at If not, does your company use other recommended SCADA procurement language?

50 Does your cybersecurity strategy categorize the criticality of systems, components, functions, and networks? What differences in security approaches are used for each category? How is security addressed (conceptually) for each major electrical component: distribution, transmission, generation, retail customers. Has your organization conducted an evaluation of the cyber security risks for major systems at each stage of the system deployment lifecycle? l Please provide risk assessment documentation at the utility site (without PUC taking possession)

51 Is cybersecurity budgeted for? Are individuals specifically assigned cybersecurity responsibility? Does your company employ IT personnel directly, use outsourcing or employ both approaches to address IT issues? For companies that lack a full IT department, explain if one individual in your company is held responsible for IT security. What training is provided to personnel that are involved with cyber security control, implementation and policies? What personnel surety / background checking is performed for those with access to key cyber components?

52 For the most critical systems, are multiple operators required to implement changes that risk consequential events? Has business process cybersecurity has been included in continuity of operations plans for areas like customer data, billing, etc.? Describe the company s current practices that are employed to protect proprietary information and customer personal information. Does the company collect personally identifiable information electronically? What type of information (name, address, social security number etc.) is collected? Is there a policy for the protection of this information?

53 Identify whether the company has identified points of contact for cyber security: Emergency management / law enforcement? National security? DHS, including protective and cyber security advisors? Fellow utilities, ISO/RTO, NERC CIPC, others? NESCO, VirtualUSA, Einstein, Fusion centers, Infragard, US CERT? Interdependent system service providers? Are interdependent service providers (for example, fuel suppliers, telcos, meter data processors) included in risk assessments?

54 Is security integrated between business systems and control systems? For the existing iti grid and for the smart grid? Have logical and physical connections to key systems been evaluated and addressed? To control expenses, does the company employ risk/benefit ik/b analysis when purchasing vulnerability solutions in each of the following areas: cyber security, SCADA, Smart Grid, Internet t connectivity, it and Web site hosting? If so explain li the process in each area and how both risks and benefits are valued. Has the company considered d cybersecurity in the replacement and upgrade cycle of its networked equipment? Does this include smart meters?

55 Does the company maintain standards and expectations for downtime during the upgrade and replacement cycle? Does the company have equipment dependant d on over the air upgrades to firmware or software, or have plans to implement such systems? Does the company have a plan in place to maintain system security during statistically probable upgrade failures?

56 Is the cybersecurity policy reviewed or audited? Internally or by an outside party? What qualifications does the company consider relevant to this type of review? What network protocols (IP,,proprietrary, p etc.) are used in remote communications? What functions types are associated with each protocol? Is the potential vulnerability of each protocol considered in deployment? Are records kept of cybersecurity access to key systems? Are systems audited to detect cybersecurity intrusions? What reporting occurs in the event of an attempted cybersecurity breach, successful or not?

57 Has cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber / physical attack? Discuss what the Department can do to assist your company in the area of cyber security.

58

59 Miles Keogh Director, Grants & Research NARUC

60 Homeland Security

61 CSSP Products and Services ICS-CERT Vulnerability analysis Incident response support CSET Policy-based tool Training Instructor-led and online ICSJWG Government-Industry partnerships ICS analysis and informational products Homeland Security

62 Industrial Control System Cyber Emergency Response Team (ICS-CERT) CERT) Analyzes malware and vulnerabilities affecting industrial control system components Provides situational awareness in the form of actionable intelligence Develops mitigation strategies and coordinate the responsible disclosure of vulnerabilities/mitigations Partners with private and governmental stakeholders to share and coordinate vulnerability information and threat analysis through information products and alerts Homeland Security

63 Incident Response Support Assist asset-owners Onsite fly away teams Network architecture Data collection Mitigation Offsite technical analysis teams Analysis of collected data Customer reporting Bridge threat awareness gap Homeland Security 63

64 Incident Response Team Observations A lack of established security practices and adequate awareness among company employees has resulted in compromised networks Apparent attacker knowledge and targeting of control systems Spear Phishing attacks are a common method of gaining g footholds into corporate networks Demonstrated ability by attackers to penetrate networks, evade detection, move within/between networks, and maintain presence Increase sophistication in reconnaissance efforts by attackers Inadequate security measures applied to remote log-in capabilities Homeland Security 64

65 Cyber Security Evaluation Tool (CSET) Assessment Covers Policy, Plans, and Procedures in 10 Categories Creates baseline security posture Provides recommended solutions to improve security posture Allows for standards specific reports (e.g., NERC CIP, DOD , NIST SP800-53) Homeland Security

66 Education & Training Instructor-Led Courses Weeklong, hands-on training at the Control System Analysis Center (CSAC) in Idaho Combination of classroom and Red Team / Blue Team scenarios Integration of real world network equipment and control system components Web Based Training Cyber Security for Control Systems Engineers and Operators Operational Security (OPSEC) for Control Systems * Homeland Security

67 Industrial Control Systems Joint Working Group (ICSJWG) Formed under the National Infrastructure Protection Plan framework to engage government and private sector control systems stakeholders Government Coordinating Council Sector Coordinating Council Subject Matter Experts International Community Fosters information sharing and coordination of activities and programs across government and private sector stakeholders involved in protecting CIKR Homeland Security

68 Cyber Security Procurement Language for Control Systems Provides sample or recommended language for control systems security requirements New SCADA / control systems Legacy systems Maintenance contracts Information and personnel security Helps to ensure that t security is builtin to procurement packages and not bolted on Homeland Security

69 Contact Information Report Control Systems cyber incidents and vulnerabilities Report general cyber incidents and vulnerabilities or , Sign up for cyber alerts Learn more about Control Systems Security Program t t cssp@dhs.gov Homeland Security

70

71 Four Steps To Building a Cyber Security Capability Additional Slides!

72 Building a Cyber Security Capability Cyber security is not a one time activity, like building a fence for protection. Because smart grid will be built over time, cyber security must also grow and evolve over time to address threats and vulnerabilities. For additionalbackgroundinformation information oncybersecurityseethenaseoenergy see the Energy Assurance Guidelines (pages 23 to 29). A critical prerequisite to this is for State energy offices and public utility commissions to assign staff resources to cyber security on an ongoing g basis. This might also be done using a team or taskforce approach. The National Association of Regulatory Commissioners also adopted a Resolution Regarding Cyber Security in February 2010 that states in part: That NARUC supports member commissions in becoming and remaining knowledgeable about these threats, and ensuring that their own staffs have the capability, training, and access to resources to adequately review and understand cyber security issues that enhances expertise in the review of cyber security aspects of filings by their jurisdictional utilities

73 Distinguish Between Utility Operations And National Defense / Law Enforcement Cyber y secure utility operations is the domain of utilities. Defending against nation-state cyber attacks and cyber terrorism are national defense and law enforcement matters. Effective cyber security takes utility / regulator / federal agency (DHS, etc.) partnership.

74 A Five Step Process to Building Capability Step One Understand the State s internal cyber security profile. 1. Understand cyber security risks at work and at home. Many States and organizations have guidance available. For an example see: 2. Identify the individuals in the State who have the primary roles for addressingcybersecurity security, and identify their roles and responsibilities. 3. Determine which State agency, if any, has lead and/or supporting roles and responsibilities in cyber security as it directly relates to smart grid implementation. 4. Know what the State s Continuity of OperationsPlans (COOP) and disaster recovery strategies are that pertain to the essential cyber security systems. 5. Determine if it may be helpful to become a member of the FBI s InfraGard Program: 6. Become familiarwith the U. S. Computer Emergency Readiness Team (US CERT), which provides response support and defense against cyber attacks for the Federal Civil Executive Branch, as well as information sharing and collaboration 7. The SANS S(SysAdmin, Audit, Network, Security) Institute tute is a good resource see:

75 Step Two Understand current cyber security for the energy sector. 1. Electricity and smart grid: NERC Standards CIP 002 through CIP 009 (the Critical Cyber Asset Identification portion of the Critical Infrastructure Protection Standards Section 1305 of Energy Independence and Security Act (EISA) 2007 defines the roles of both Federal Energy Regulatory Commission and NIST as they relate to the development and adoption of smart grid standards. The Act defines the Commission s role as: At any time after the Institute s work has led to sufficient consensus in the Commission s judgment, the Commission shall institute a rulemaking proceeding to adopt such standards d and protocols as may be necessary to insure smart grid functionality and interoperability in interstate transmission of electric power, and regional and wholesale electricity markets. 2. Understand the cyber security requirement for other parts of the energy sector including natural gas (pipeline p safety standards) and the petroleum sector, because of the interdependency effects that need to be considered. 3. Under EISA 2007, NIST has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems " One of the primary documents was issued in January 2010 and titled Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0 (Framework). The Framework identified 75 interoperability standards that are applicable, or are likely applicable, to the ongoing development of smartgrid technologies and applications. NIST developed Guidelines for Smart Grid Cyber Security.

76 Step Three Understand future standards and guidelines currently under discussion and development, and how they may affect utilities plans for smart grid deployment 1. The Advanced Security Acceleration Project for the Smart Grid (ASAP SG) is a utilitydriven, public private collaborative among DOE, EPRI, and a large group of leading North American utilities. ASAP SG is developing system level security requirements for smart grid applications, such as advanced metering, third party access for customer usage data, distribution automation, home area networks, and synchrophasors. 2. Over the next three years, the National Electric Sector Cyber Security Organization (NESCO) will be working with the National Electric Sector Cyber Security Organization Resources (NESCOR) to lead a broad based, public private partnership to improve electric sector energy systems cyber security

77 Step Four Determine whether there are cyber security plans in place, and are they driven by State regulatory or Federal grants compliance or other policies and programs. 1. What requirement are not Standards driven? 2. Are there regulatory efforts underway at a State public utility commission to create audit, reporting and compliance obligations on cyber security for the utilities 3. Are there State policy and program that address cyber security? 4. How is your State approaching the public private partnerships as provided for in the National Infrastructure Protection framework and the Energy Sector Specific Plan 5. The ARRA Smart Grid Investment Grants program required utilities proposing p projects to develop cyber security plans. These Grants require: A description of the cyber security risks at each stage of the system deployment lifecycle. Cyber security criteria used for vendor and device selection. Cyber security control strategies. Descriptions of residual cyber security risks. Relevant cyber security standards and best practices. Descriptions of how the projects will support/adopt/implement emerging smart grid security standards. 6. Public utility commissions need to address how regulated utilities will pay for the necessary infrastructure upgrades to meet the cyber security requirements

78 Step Five Consider and address the human element of cyber security. While this step is last, in many ways it is also one of the most important. It represents a serious ongoing gvulnerability, and therefore it is critical to assure that it is properly addressed. 1. Understand what the insider threat is and what policies and procedures are in place to prevent intrusion and manipulation. 2. Understandwhat social engineering isand how itcan be used to access systems 3. Understand that technical solutions to security should account for human behavior, which can be driven by both cultural and psychological factors. 4. Understandthe the nature of the threat fromemployees employees, contractors, consultants, or anyone with short or long term access to IT systems, and know about system vulnerabilities. 5. Understand that the effect of new systems on consumer behavior could be both a plus and a minus. Itcould strengthen security or incite actions to attack the system.