Cybersecurity in the Energy/Utility Sectors

Transcription

1 Cybersecurity in the Energy/Utility Sectors Thomas Pearce Senior Utility Specialist, PUCO Chair, NARUC Staff Subcommittee on Critical Infrastructure NARUC Staff Subcommittee on Actg. & Fin. Portland, OR September 10, 2013

2 DISCLAIMER Nothing contained within this presentation shall be deemed to represent any positions or views of: the National Association of Regulatory Utility Commissioners (NARUC), its officers, staff, Committees, Subcommittees, or its member commissions; the State of Ohio, its governor, the Public Utilities Commission of Ohio, its chairman, its commissioners, its staff, nor even those of the author 1 1 Remainder of the legal disclaimer: if you re paying attention, that last item was injected for purposes of humor; it s okay to laugh and to take neither the presenter nor the presentation too seriously

3

4 Cybersecurity We thought it was funny in Ferris Bueller s Day Off It isn t funny anymore

5 Agenda Purpose: to provide an introduction to issues, concepts, and vocabulary to facilitate action What is cybersecurity? Threats/Vulnerabilities Principles of preparedness Role of government & regulators Where do we go from here?

6 Recent Headlines The five scariest hacks we saw last week (CNN, 8/5/13) from 2013 Black Hat & DefCon conferences this past month in Las Vegas: Remote-controlled cars (the ones we drive, not the Matchbox kind) Compromising smartphones (Angry Birds survillance via Android, iphone chargers converted to info gathering portals [passcodes, s, etc.]) The too-smart home (Smart meters & TVs w/cameras) Hackers get personal (phones as tracking & personal info distributors; w/o owner s knowledge) Industrial facilities (read detail)

7 Additional Recent Headlines Smart Homes are hacking risk (WSJ) ICS-CERT Warns of Brute-Force Attacks Against Critical Infrastructure Control Systems (Softpedia) Power utilities sparse reply to cybersecurity poll highlights publicity struggle (SNL News) U.S. Power Companies Under Frequent Cyberattack (Networkworld) Cyberattack leaves natural gas pipelines vulnerable to sabotage (CSMonitor) Can government, industry stay ahead of cyberthreats to pipe, utilities? (SNL)

8 Other Headlines (cont d) Decoy ICS/SCADA Water Utility Networks Hit By Attacks (Dark Reading) Cyber Threats To Energy Sector Happening At Alarming Rate (WSJ) DHS Warns of Password-Cracker Targeting Industrial Networks (Nextgov) Malicious Virus Shuttered U.S. Power Plant(Reuters) One-Third of Cyber Attack Traffic Originates in China, Akamai Says (Bloomberg) DHS: 40 percent of cyberattacks targeted energy sector (The Hill)

9 Transportation 3% Telecom 2% Health 2% Nuclear 3% THREAT LANDSCAPE Internet-facing 11% Incidents By Sector FY2012 Water 15% Critical mfg 4% Financial 0% Chemical 4% Agriculture 1% Commercial Facilities 10% Dams 0% Energy 41% Agriculture Financial Chemical Commercial Facilities Dams Energy Government IT Internet-facing Nuclear Health Telecom IT 0% Transportation Water Government 4% ICS-CERT Data Critical mfg

10 What is it? Cybersecurity National Institute of Standards and Technology (NIST): The ability to protect or defend the use of cyberspace from cyber attacks.

11 Cybersecurity I think information sharing is a top priority. Hon. Cheryl LaFleur, Commissioner, Federal Energy Regulatory Commission, when questioned about cybersecurity, Tuesday, March 19, 2013, before the U.S. House of Representatives Energy & Commerce Committee hearings on Gas/Electric coordination

12 Cybersecurity There have been cyber attacks on systems that control plants being turned on/off; they are like FERC fuel neutral. We need to guard against risks to energy management systems, wherever they are. Hon. Cheryl LaFleur, March 19, 2013 testimony to House Energy & Commerce Committee

13 Cybersecurity Isn t just stopping bad guys Vulnerabilities include: Software bugs User errors Control system equipment malfunctions Communications equipment failures Deliberate intrusions and sabotage

14 Information Technology Systems Corporate IT/business systems Industrial Control Systems/Supervisory Control And Data Acquisition (ICS/SCADA) (SCADA e.g., power generation, gas transmission, water treatment, telecommunications)

15 Who IS Playing In The Cyber Realm? Script-kiddies/basement hackers (Ferris Bueller) Criminal element (Letter from Nigeria) Aircraft carrier nation-states

16 Shodan Have you heard of it? What is it? Who? John Matherly There s an app for that

17 Vulnerabilities Smart Meters/AMI Increasing threats Current Trends Spam, Phishing, Malware Stuxnet, Duqu, Gauss, Flame, miniflame, Shamoon Types of threats

18 CYBER THREATS Aurora (2009) DHS/DOE experiment to hack generator control system Stuxnet (2010) Computer worm appearing to target Middle- East nuclear infrastructure SCADA malware; locational effects Targeted controls systems for uranium processing centrifuges Duqu (2011) Likely Stuxnet variant attacking MS Windows seeking info useful to attack ICS

19 CYBER THREATS Night Dragon (2011) Targeted global oil, gas & petrochemical companies, primarily US-based Obtain sensitive data Flame (2012) Aka Flamer/sKyWIper Stuxnet on steroids w/ Shamoon (2012) Targeted Saudi Aramco (damaged/destroyed more than 30,000 (½ computers connected to corp. network) Allegedly retaliation for being US ally

20 Cybersecurity is one element of all-hazards preparedness

21 Issues of Preparedness Assessments Equipment Policies: do you have a formal written employee internet security policy? Responses/action plans Do you have a cyber element/plan? Standards Information sharing

22 Implications for Utilities Delivery of services Reliability CO$T$ Industry actions & response AGA: ONG SCC & CSWG

23 Industry Actions & Response NIST/SGIP CSWG NERC CIP standards; committees; etc. EPRI, EEI, AGA, AWWA ONG SCC Electricity Sub-sector SCC

24 Some Government Response NIST/SGIP CSWG U.S. Department of Homeland Security: CIPAC & Sector Partnerships (GCCs/SCCs) - NARUC National Cyber Security Division (CSET Tool, US- CERT/ICS-CERT, ICSJWG) ICS-CERT fly-away teams (Springfield MO water utility) ICS-CERT Active Cyber Campaigns Against the U.S. Energy Sector Briefings (9 US late fall 2012) U.S. Department of Defense: CyberComm

25 Some Government Response (cont d) U.S. Department of Energy: Cybersecurity for Energy Delivery Systems (CEDS) Roadmap to Achieve Energy Delivery Systems Cybersecurity Cross-Sector Roadmap for Cybersecurity of Control Systems Vulnerability Analysis of Energy Delivery Control Systems Guide to Developing a Cyber Security & Risk Mitigation Plan ESC2M2 (Elec. Sector Cybersecurity Capability Maturity Model) NESCO/NESCOR (Nat l Electric Sector Cybersecurity Org)

26 Roles of State Commissions Cost recovery guidelines investment prudence Sensitive information develop handling protocols Rapid information sharing methods Review utility emergency response plans Regulatory oversight of reliability Promote State emergency planning efforts Understand interdependencies Engage in regional coordination and response

27 Some State Actions Regarding Cybersecurity NARUC: Cybersecurity for State Regulators v2.0 ( 0Primer%202.0.pdf ) State level actions: MO PSC: review/formal dialogue with state utilities PA PUC: annual certification/dialogue with state utilities CPUC: SmartGrid & SGIP CS, OH PUC: informal dialogue with state utilities TX PUC: SmartGrid & SGIP CS; work w/ercot

28 Private & Public Sector Responsibilities Cyber secure utility operations: utilities Defend against nation-state cyber attacks: national defense & law enforcement Effective cybersecurity: utility/regulator/federal partners

29 Some Things To Do Know what you need to protect Enforce strong password policies Map out a disaster preparedness plan Encrypt confidential information Use a reliable security solution Protect information completely Stay up to date Educate employees

30 DISCUSSION Are you seeing costs for security measures in new rate case applications? Physical security expenses? Cybersecurity expenses? If so, what is the order of magnitude? How are you evaluating propriety of investments?

31 THANK YOU! Thomas Pearce Chair, NARUC Staff Subcommittee on Critical Infrastructure Senior Utilities Spec., Public Utilities Commission of Ohio 180 E. Broad St. Columbus, OH