The Importance of Cyber Security and Risk Management

Transcription

1 CONFERENCE Cybersecurity for Utilities: Compliance, Protection and Improving Overall April 24-25, 2014 Offices of Troutman Sanders, LLP Washington, DC Pre-conference Workshop The New IT/OT/Telecom Convergence: How It Impacts Utilities Cybersecurity & How To Prepare and Manage the Convergence Wednesday, April 23, 2014 Dinner Workshop GridEx 2013: Preparation, the Attack and Lessons Learned Thursday, April 24, 2014 is authorized by IACET to offer 0.9 CEUs for the Conference, 0.4 CEUs for the Pre-Conference Workshop, and 0.3 for the Dinner Workshop. Sponsors 1

2 Overview As the Department of Homeland Security has reported, cyber security threats to the utility industry are increasing in number and sophistication. Because of this challenge, the North American Reliability Corporation (NERC) is increasing the Critical Infrastructure Protection (CIP) regulatory requirements to ensure organizations and facilities are meeting basic standards in this area. The White House and Congress are also increasingly concerned about critical infrastructure cybersecurity. Legislation, hearings, and the President s Executive Order/NIST Framework on Cybersecurity will all impact the way that owners and operators of critical infrastructure - including electric utilities - manage cyber risk. This conference will examine the changing industry standards and costs to comply with NERC CIP realm as well as legislative and executive changes, how the scope has expanded, and the best way for utilities to deal with issues from better controls to greater automation. Attendees of the conference will better understand the framework of the executive order, how to prepare and implement the changes and how to manage the costs that go with implementation, including protection, vendor risk, and cybersecurity team development. This conference will address liability issues best practices for electric utilities. Who Should Attend Utility and energy company staff from the following departments: Directors and CEOs Compliance and regulatory managers Legal and regulatory staff Information technology and information security Operations and engineering Administrative and support staff Control systems As well as: Attorneys and regulators Regional entity staff Contractors and vendors Learning Outcomes Discuss the NIST Framework key elements and applications Identify benefits and challenges of receiving SAFETY Act protections for a utility cybersecurity program Compare CIP version 5 to future versions as well as and other key security policy issues Discuss insurance liability exposure for information sharing Analyze the implications of the different CIP versions on generator owners and operators in regional blackstart programs Appraise the cost of adopting the NIST Cybersecurity Framework for utilities and tactics to recover those costs Discuss standards that help provide cybersecurity measurement Identify when to balance business needs against security controls Recognize when physical security is not enough to safeguard Critical Infrastructure Assets Review technical responses to smart grid incidents 2

3 Agenda Thursday, April 24, :30 9:00 a.m. registration & Continental Breakfast 9:00 9:30 a.m. Keynote: NERC Security Initiatives for the Bulk Power System - Brian Harrell, Associate Director of CIP Programs, NERC 9:30 10:15 a.m. NIST Framework 1.0: Where We Stand Now Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order Improving Critical Infrastructure Cybersecurity has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. Framework version 1.0, to be published in February 2014, was developed in collaboration with industry and provides guidance to an organization on managing cybersecurity risk. The Framework relies on existing standards, guidance, and best practices to achieve outcomes that can assist organizations in managing their cybersecurity risk. By relying on those practices developed, managed, and updated by industry, the Framework will evolve with technological advances and business requirements. Building off those standards, guidelines, and practices, the Framework provides a common language and mechanism for organizations to: 1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; and 5) foster communications among internal and external stakeholders. - Jon Boyens, Senior Advisor - Computer Security Division, NIST - Vicky Yan Pillitteri, Advisor for Information System Security Computer Security Division, NIST 10:15 10:45 a.m. Networking Break 10:45 11:30 a.m. SAFETY Act: Challenges and Opportunities The SAFETY Act provides incentives for the development and deployment of anti-terrorism technologies, including a liability cap, a bar on punitive damages, and limitations on noneconomic damages. While the SAFETY Act might ultimately provide some benefits to the industry, there are a number of issues that require consideration and clarification before any utility should attempt to receive SAFETY Act protections. Bonnie Suchman will discuss the issues of concern with seeking SAFETY Act Designation or Certification for a utility cybersecurity program, particularly one based on the NIST Cybersecurity Framework. - Bonnie Suchman, Of Counsel, Troutman Sanders, LLC 11:30 a.m. 12:15 p.m. Decoding CIP Version 5 and Other Cybersecurity Challenges for the Electric Sector This presentation will discuss key highlights of CIP Version 5, key differences between Version 5 and previous versions, as well as what to expect from future versions of CIP. It will cover how CIP obligations align with the new NIST Framework, highlight information exchange in a post-snowden Era and discuss other key security policy issues on the Hill and in the executive branch. - Jacob Olcott, Good Harbor Consulting 12:15 1:15 p.m. Group Luncheon 1:15 2:00 p.m. Cybersecurity on a State Level - Christina Cody, Senior Program Officer, NARUC 2:00 2:45 p.m. insurance Liability Exposure for Sharing Information - Matthew McCabe, Marsh 2:45 3:15 p.m. networking Break 3

4 Agenda Thursday, April 24, 2014 (CONTINUED) 3:15 4:00 p.m. Considering CIP Compliance Responsibilities for Blackstart Generation The various versions of the CIP Standards have changed substantially with regard to cyber systems supporting blackstart generation. The uncertainty around CIP compliance responsibilities has made many entities think twice about enrolling generators in regional blackstart programs. Leading experts will discuss the implications of the different CIP versions on generator owners and operators. - John Paiserb, Senior Project Manager, GDS Associates - Alex Hobbs, Analyst, GDS Associates 4:00 4:45 p.m. Cybersecurity Cost Recovery and Regulatory Discussion The topic of cost recovery for cybersecurity investments is once again a hot topic, but what makes these investments different from historical investments in IT? How does a utility commission determine what are cost-effective cybersecurity investments? How might the federal government throw a wrench into this rate making machine? - Chris Villarreal, Regulatory Analyst, California Public Utilities Commission (Invited) 4:45 5:30 p.m. articulating Value of Security Through Cybersecurity Metrics Articulating a business case for cybersecurity is a challenge. This presentation will provide a primer on developing practical cybersecurity metrics and using them to articulate the value of cybersecurity in order to gauge performance and facilitate improvement. It will demonstrate productive and counterproductive (useful and useless) metrics, articulate the difference between metrics for internal and external consumption, and describe how to establish a cybersecurity measurement program. - Nadya Bartol, Senior Cybersecurity Strategist, UTC 5:30 6:30 p.m. networking Reception REGISTER 4601 TODAY! DTC Blvd., CALL Suite OR VISIT 4

5 Agenda Friday, April 25, :30 9:00 a.m. Continental Breakfast 9:00 9:45 a.m. Cybersecurity Reality: Knowing When to Compromise Effective cybersecurity involves identifying threats and applying mitigating controls designed to reduce risk to critical business systems. Unfortunately for security professionals, the realities of business are often incompatible with effective cybersecurity. It is therefore imperative to factor business systems and operational functionality into security design. This often includes compromising some aspects of security in the interests of the business. This presentation will address a few ways to work around these challenges in order to provide proper security controls without overly disrupting business processes. - Jon Stitzel, Security Analyst III, Ameren 9:45 10:30 a.m. Surpassing Physical Security Needs to Safeguard Critical Infrastructure Assets The mindset in today s business environment is to focus on computer hacking, cyber exploits and cyberspace identity theft. When dealing with protection of IT infrastructure, however, physical security is just as important when considering a holistic security model you cannot have one without the other. With the latest developments in cyber warfare against the power grid it is important that organizations identify risks, develop new physical programs, and conduct new dynamic models. The best cyber security plans are useless without a cohesive approach to physical security. By understanding the facilities characteristics (system characterization), the capability and motivation of those who threaten the facility (threat assessment) and the existing security posture, we can effectively analyze the vulnerabilities to a facility as they pertain to the identified threats. Physical security is in the forefront of many minds and generates increasing concerns as to the future security of the bulk electric system. - Jim Rowan, Manager- Critical Infrastructure Protection Programs Manager, SERC 10:30 11:00 a.m. Networking Break 11:00 11:45 a.m. A Technical Glance at Smart Grid Incident Response - Seth Bromberger, NCI Security 11:45 a.m. 12:00 p.m. Formal Q&A Session 5

6 Pre-Conference Workshop: The New IT/OT/Telecom Convergence: How It Impacts Utilities Cybersecurity & How To Prepare and Manage the Convergence Overview This workshop will assist utilities/generation/transmission IT & OT staff and management understand the rapidly advancing convergence of IT/OT/Telecom capabilities, its potential impact, and the means to address that impact. This will be focused on business leadership and cybersecurity management concerns within the perspectives of organizational culture, governance, risk, and technical operations. The end goal is to provide guidance, understanding, best practices, and specific techniques for organization to maximizing its benefits and proactively engage the challenges of the coming Convergence. Learning Outcomes Define Convergence and its impact on both the business and its cybersecurity functions Articulate organizational changes and engagement & communication methods, tools, techniques utilized to address the impact of convergence (viewed through the perspectives of organizational culture, governance, risk, and technical operations by business leadership and cybersecurity management) Illustrate successful best practices and observed/reported industry cases Agenda Wednesday, April 23, :30-1:00 p.m. Registration 1:00-5:00 p.m. pre-conference Workshop Timing Introduction & Common Terms What is the Convergence & its impact on the organization? What is the impact of Convergence specifically in terms of the organization s cybersecurity? Engagement & communication concepts and strategies to address convergence and its impact on cybersecurity Application of concepts and strategies into specific organizational constructs Review & summation Final questions and close 6

7 INSTRUCTORs Nadya Bartol / Senior Cybersecurity Strategist / UTC Nadya Bartol spent almost 20 years working in cybersecurity. At Utilities Telecom Council (UTC) she is responsible for helping UTC member utilities address cybersecurity challenges, from policies and standards to practical implementation. Prior to UTC she worked at a large consulting company leading security program management, supply chain risk management, security measurement, and standards engagements. She co-authored several NIST publications on the topics of measurement and supply chain risk management. She served as Co-chair of DoD/DHS/NIST SwA Measurement Working Group and a principal author of Practical Measurement Guidance for Software Assurance and Information Security. She is Project Editor for ISO/IEC Information technology IT security techniques Information Security for Supplier Relationships. Nadya was named one of the Top 15 Women in Energy by Fierce Energy in 2012 and a is recipient of International Committee for Information Technology Standards (INCITS) Team Award in 2013 for cyber supply chain standards work. Ernest Wohnig / CEO & CIP Cyber Security Principal / Wohnig, Chaman, and Associates Ernest Wohnig is an internationally recognized cyber security and assurance leader having written, presented, and advised senior corporate leadership on security and assurance issues across the energy and water sectors and to the federal government for over 20 years. He advises clients across a number of industries, helping them understand their risk posture and to develop proactive security strategies and programs resulting in clear alignment of cyber security practices and risk tolerance to business objectives. As CEO and Security Principal of Wohnig, Chaman & Associates, Ernest leads a specialized consulting firm providing cyber security and assurance and reliability advisory, assessment, and strategy services to senior commercial Energy and Federal sector clients. As Security and Assurance Principal he consults to clients on a range of issues including cyber and assurance strategy development and execution, information protection and risk management/response, convergence of physical/logical security, cyber program development and implementation practices, and intellectual capital development related to cyber and assurance issues in the industry. Prior to founding Wohnig, Chaman & Associate, Ernest lead the development and delivery of cyber security and assurance services for a large consulting firm s Infrastructure (Energy, Environment, & Transportation) division. He oversaw the design, implementation, and management of new programs, approaches, methodologies, and service solutions for C-suite clients in federal, public utility, and oil & gas entities. 7

8 Dinner Workshop: GridEx 2013: Preparation, the Attack and Lessons Learned Overview In November 2013, more than 200 industry and government organizations participated in the North American Electric Reliability Corporation s two-day cyber and physical security exercise. NERC designed the exercise, GridEx II, to enhance and improve cyber and physical security resources and practices within the industry. The exercise gave participants the opportunity to check the readiness of their crisis action plans through a simulated security exercise to self-assess response and recovery capabilities, and to adjust actions and plans as needed, while communicating with industry and government information sharing organizations. GridEx II, which built on lessons learned from NERC s initial exercise in 2011, brought together more than 1,800 participants from North America, including the electricity industry, the Department of Energy, Department of Homeland Security and Department of Defense and the Federal Bureau of Investigation, as well as Canadian and Mexican utilities and agencies. The scenario was designed to stress the system through a series of prolonged coordinated cyber-attacks against certain automated systems used by power system operators. The scenario also included coordinated physical attacks against key transmission substations and generation facilities. These attacks caused utilities to enact their crisis response plans and walk through internal security procedures. New York Power Authority was one of the utilities to participate in GridEx II. In this workshop, NYPA and NERC will discuss how each side prepared for the attack, their account of the attack, and lessons learned. Attendees will walk away with the understanding of how to prepare for an attack and an understanding of what the real life consequences of an attack can be. agenda / Learning Outcomes Thursday, April 24, :00-9:00 p.m. workshop Timing (Dinner will be provided) Review the history and purpose of GridEx Identify key participants Discuss how participants (utilities and NERC) prepared for the simulated attack Analyze what happened during the attack from both perspectives Analyze how the utility responded to the attack and the results of their actions Identify key lessons learned from the simulated attack 8

9 INSTRUCTORs Bill Lawrence / Manager of Critical Infrastructure Protection Awareness, Critical Infrastructure Department / NERC Bill is the Manager of Critical Infrastructure Protection Awareness at the North American Electric Reliability Corporation (NERC), where he manages the GridSecCon and GridEx programs. Prior to joining NERC, he flew F-14 Tomcats and F/A-18F Super Hornets for the Navy, and most recently was the Deputy Director, Character Development & Training Division, at the United States Naval Academy, where he also taught courses in Ethics and Cyber Security. Bill has a Bachelor s degree in Computer Science from the US Naval Academy, a Master s in International Relations from Auburn Montgomery, and a Master of Military Operational Art and Science from the Air Command and Staff College. He holds a Project Management Professional certification. James Rowan / Critical Infrastructure Protection Programs Manager / SERC Prior to joining SERC Jim Rowan was the leader of the Business Continuity Practice at AliTek Consulting in Houston, TX specializing in regulatory, business continuity, disaster recovery, security, and knowledge management. Jim has recently been chosen as one of 25 people to attend the Homeland Security Executive Leaders Program held at the Center for Homeland Defense and Security, Naval Postgraduate School, Monterrey, CA. With over 25 years of practical experience in regulatory, information technology, security, crisis management and business continuity in both government and the private sector, Mr. Rowan has served in senior management with Apple Computers, PriceWaterhouseCoopers, LLP, and QCorps, Inc. following his tenure as Department Head of the Management Information Systems Office of the United States Marine Corps. He was recognized as Apple Computer Inc. s Engineer of the year for He retired with the U.S. Marine Corps, having served as an aviator, tactical aviation instructor and special weapons/operations officer while deployed onboard several Atlantic Fleet aircraft carriers in a tactical aviation squadron. Other assignments included being the Director of Operations at Navy Operational Intelligence Command, Suitland, Maryland and as a tactical intelligence officer/aviator working with the Central Intelligence Agency, Defense Intelligence Agency, National Security Agency, Navy Fighter Weapons School (TOPGUN), the Navy Strike Warfare Center (SLATS), and the Marine Weapons Training Squadron (MAWTS-1) where he was a specialist in physical, logical, and geo-political vulnerabilities. He earned an ABD Ph.D. from LaSalle University, an MBA/MIS from the University of Maryland and a BS from the U.S. Naval Academy. Lena Smart / Chief Information Security Officer / New York Power Authority Lena has worked in cyber security for more than 20 years. She has worked at the New York Power Authority (NYPA) for 13 years, and has managed the cyber security group there for 10 years. Prior to NYPA, Lena worked for a private banking firm in London, and traveled throughout the world designing and implementing secure computer networks. Outside of work she plays cello in chamber ensembles, and a local orchestra. 9

10 Instructional Methods This program will use PowerPoint presentations, group and panel discussions, as well as active participation. Requirements for Successful Completion of Program Participants must sign in/out each day and be in attendance for the entirety of the conference to be eligible for continuing education credit. iacet Credits has been approved as an Authorized Provider by the International Association for Continuing Education and Training (IACET), 1760 Old Meadow Road, Suite 500, McLean, VA In obtaining this approval, has demonstrated that it complies with the ANSI/IACET Standards, which are widely recognized as standards of good practice internationally. As a result of its Authorized Provider membership status, is authorized to offer IACET CEUs for its programs that qualify under the ANSI/IACET Standards. is authorized by IACET to offer 0.9 CEUs for the Conference, 0.4 CEUs for the Pre-Conference Workshop, and 0.3 CEUs for the Dinner Workshop. EVENT LOCATION Troutman Sanders, LLP 401 9th St NW #1000, Washington, DC Phone: (202) PROCeEDINGS A copy of the conference proceedings will be distributed to attendees at the event. If you are unable to attend or would like to purchase additional copies, flash drives are available two weeks after the conference is complete. The cost per flash drive is US $395 (add US $50 for international shipments). Flash drives include visual presentations only. Upon receipt of order and payment, the flash drive will be shipped to you via regular USPS mail. NOTE: All presentation flash drive sales are final and are nonrefundable. sponsorship opportunities Do you want to drive new business through this event s powerful audience? Becoming a sponsor or exhibitor is an excellent opportunity to raise your profile before a manageably sized group of executives who make the key purchasing decisions for their businesses. There is a wide range of sponsorship opportunities available that can be customized to fit your budget and marketing objectives, including: Platinum, gold, or VIP sponsor Workshop sponsor Reception host Lanyard sponsor Networking break host Luncheon host Tabletop exhibit Breakfast host Custom sponsorship opportunities are also available. Please contact Jen Murray at or jsmith@euci.com for more information. REGISTER 4601 TODAY! DTC Blvd., CALL Suite OR VISIT 10

11 REGISTRATION information Mail Directly To: Electric Utility Consultants, Inc. () 4601 DTC Blvd., Ste. 800 please register the following EVENT LOCATION Troutman Sanders, LLP 401 9th St NW #1000, Washington, DC Phone: (202) Cybersecurity for Utilities and both Pre-conference and Dinner Workshop April 23-25, 2014: US $2195 Early bird on or before April 11, 2014: US $1995 Cybersecurity for Utilities and one workshop (CHOOSE ONE) Pre-CONFERENCE WORKSHOP: April 23, 2014: US $1795 Early bird on or before April 11, 2014: US $1595 Dinner Workshop : April 24, 2014: US $1795 Early bird on or before April 11, 2014: US $1595 Cybersecurity for Utilities conference only April 24-25, 2014: US $1395 Early bird on or before April 11, 2014: US $1195 Workshop only (CHOOSE ONE) Pre-CONFERENCE WORKSHOP: April 23, 2014: US $595 Early bird on or before April 11, 2014: US $495 Dinner Workshop : April 24, 2014: US $595 Early bird on or before April 11, 2014: US $495 I'M SORRY I CANNOT ATTEND, BUT PLEASE SEND ME THE CONFERENCE PROCEEDINGS FOR US $395. (PLEASE ADD $50 FOR INTERNATIONAL SHIPPING.) ENERG ZE WEEKLY s Energize Weekly newsletter compiles and reports on the latest news and trends in the energy industry. Newsletter recipients also receive a different, complimentary conference presentation every week on a relevant industry topic. The presentations are selected from a massive library of more than 1,000 current presentations that has gathered during its 26 years organizing conferences. Sign me up for Energize Weekly. How did you hear about this event? (direct , colleague, speaker(s), etc.) Print Name Job Title Company What name do you prefer on your name badge? Address City State/Province Zip/Postal Code Country Telephone List any dietary or accessibility needs here CREDIT CARD Name on Card Account Number Billing Address Billing City Billing State Billing Zip Code/Postal Code Exp. Date Security Code (last 3 digits on the back of Visa and MC or 4 digits on front of AmEx) OR Enclosed is a check for $ to cover registrations. All cancellations received on or before March 28, 2014, will be subject to a US $195 processing fee. Written cancellations received after this date will create a credit of the tuition (less processing fee) good toward any other event or publication. This credit will be good for six months. In case of event cancellation, s liability is limited to refund of the event registration fee only. For more information regarding administrative policies, such as complaints and refunds, please contact our offices at reserves the right to alter this program without prior notice. 11