Cyber Security and Other Realities of Our Digital World Andy Dickson IT Director Nuclear Fleet Operations

Transcription

1 Cyber Security and Other Realities of Our Digital World Andy Dickson IT Director Nuclear Fleet Operations

2 What Changes Are We Facing? Cyber Security Regulation and Threats Changing IT Landscape and Expectations Changing Industry

3 Exelon Overview Exelon Generation Exelon Utilities Power Generation Constellation ComEd, PECO & BGE Largest merchant Generation fleet in the nation (~35 GW of capacity), with unparalleled upside One of the largest and best managed nuclear fleets in the world (~19 GW) Significant gas generation capacity (~10 GW) Renewable portfolio (~1 GW), mostly contracted Retail & Wholesale Leading competitive energy provider in the U.S. Customer-facing business, with ~1.1 M competitive customers and large wholesale business Top-notch portfolio and risk management capabilities Extensive suite of products including Load Response, RECs, Distributed Solar One of the largest electric and gas distribution companies in the nation ~6.6 M customers E Diversified x across three utility jurisdictions e Illinois, Maryland and Pennsylvania l Significant o investments in n Smart Grid technologies Transmission infrastructure improvement at utilities Competitive Business Regulated Business Exelon is the largest competitive integrated energy company in the U.S. 3

4 Exelon Nuclear and My IT World By the Numbers 10 Nuclear Sites 17 Reactors (12 BWRs, 5 PWRs) 3 EOFs 2 Corporate Campuses 9 EP offsite staging facilities 21 Scientech R*Time PPCs 6 Legacy PPCs PCs 300 Business Servers 180 Real Time Servers 25 Firewalls 40 Routers 500 Switches/Routers 40 Data Diode Pairs

5 Is the glass half empty or half full? Challenges AND Opportunities!

6 What Changes Are We Facing? Cyber Security Regulation and Threats Changing IT Landscape and Expectations Changing Industry

7 Current Activity and Threats Question: What is the average time to infection of an unprotected Windows PC connected to the internet? Answer: 20 Minutes (SANS Internet Storm Center) Question: How many pieces of New Malware are created every day? Answer: >1 Million (Symantec)

8 Most targeted critical infrastructure sectors You Are HERE Source: ICS-CERT Incidents October 2012 to May 2013

9 Brief History of Nuclear Cyber Security (10CFR73.54) NEI 04-04, Cyber Security Program for Power Reactors, NEI -NERC MOA on CIP Cyber Attack Added to Design Basis Threat NEI Implemented and New NRC Cyber Rule Issued SSEP Systems 2009 NRC Decides Program Must be DETERMINISTIC NRC Endorses NEI 08-09, Cyber Plan Template Standard for the Industry NRC Approves Cyber Security Plans NRC Approved Interim Milestone Approach (1-7) Implemented Across Industry 2013 NRC Interim Inspections Begin Program Fully Implemented

10 Nuclear Plant Cyber Security Control and Data Acquisition Systems protected by Data Diodes Site Business LAN protected by Firewalls Data Centers Protected by Firewalls Nuclear Industry Has Isolated all Plant Control and Data Acquisition System by One-Way Deterministic Devices (Milestone 3)

11 This Leaves With Data Diodes in Place, Focus Shifts Swift Quickly to Portable Media Thank You Stuxnet Scanning Control Sanitization Security/Employee Awareness (Milestone 4)

12 Current State 137 Controls, broken into 698 Sub-Controls Must Be Assessed for EACH Critical Digital Asset Do the Math! 14 of the 22 Scheduled NRC Interim Milestone Inspections have been conducted Inspection Team s interpretation of Milestones 1-7 differs from the industries Current Deterministic Approach Treats EP Assets in the EOF the Same as Target Set Indications from NRC that they would consider moving to a Consequence-based Approach Industry must Seize the Opportunity Program can Conflict with Technology Improvements like Wireless Monitoring - Cost/Controls

13 Example of Evolution in Interpretations Issue Original Approach Current Approach Antivirus Scanning Kiosks for Removable Media Digital Test Equipment Engineering Configuration Control EP Assets (Business LAN) Leverage Enterprise Antivirus (AV) Solution Scan if Able For Plant Systems Take Credit for Existing Enterprise Cyber Controls Use Hardened, Multi AV, Network- Detached Solution Must be scanned, hardened, and controlled For Plant Systems and EP Facilities Need to Isolate and Provide Separate Controls

14 Cyber Security Challenges Threats are Real Nuclear Industry Cannot Tolerate Even Perception of a Breach Current Regulatory Interpretations and Lack of Graded Approach Stand to Drive Significant Up Front and Ongoing Costs and Complexity Opportunities Data Diodes and Removable Media Practices Have Fortified our Plants Significantly Program has Driven Better Documentation, control, and Disaster Recovery for Important Systems NRC Listening to Industry on Graded Approach

15 What Changes Are We Facing? Cyber Security Regulation and Threats Changing IT Landscape and Expectations Changing Industry

16 Changing Technology Landscape OR What s going on beyond the Data Diode? Source: Intel Inside Scoop 3/13/2012

17 Today s Challenges...the explosion of Digital Technologies has significantly increased requirements to improve efficiencies 17 Enabling Operational Efficiencies & Emerging Technologies Overview

18 Social Media Source: Forbes Website

19 NEI.org Post-Fukushima Page View Source: NEI

20 Cloud Computing Gartner predicts that by 2015, 35% of Enterprise IT Expenditures for most organizations will be managed outside of IT Departmental Budgets. Source: NIST Cloud Model Security a barrier to adoption Beware of 10CFR810 for Nuclear Pay attention to new demands on Internet pipe

21 BYOD Rationale: Consumerization & Anytime Access Trends Consumer Behavior Device Adoption Accelerating Usage Ubiquitous Access IT Consumerization Next Generation Employees want to work with technology and functionality that they can readily get in the marketplace Rise of Mobile Elite workers Mobility and flexibility are the focus of consumer technology 40% of devices being used for business purposes are personally owned. 10% increase between Diversification and Proliferation 7.5B Smartphones by 2015 from 4.6B in M Tablets by 2015 from 17M in M M2M Connections by 2015 from 80M in Ovum, Current Analysis, Current Analysis, 2011 Acceleration and Integration 76.9B Mobile Apps downloaded in 2014 from 10.9B in M Mobile Video Users by 2015 from 3.4M in Over 100M views a day via YouTube mobile in IDC, In-Stat, YouTube, 2011 Virtualization and Ubiquity 998.1M Mobile Cloud App Subscribers in 2014 from 42.8M in M Mobile-Only Internet Users by ABI Research, ARS Technica, IDC, 2011

22 BYOD Rationale: Benefits To Employees & Exelon Employee Satisfaction Single device to carry Employees empowered to choose device and plans Increased mobility Workforce Productivity Increased remote workforce productivity with any time, any where, any device access Improved cycle time for approval tasks & issue resolution Improved communications and business efficiency Effective Controls & Management Oversight Consistent BYOD policy and approach to determining employee stipend amounts Automated portal for onboarding employees Accurate tracking & reporting for management One Culture Consolidate multiple programs with different policies Enable ease of use and self service Encourage collaboration and advancement of an culture

23 Changing IT Landscape Challenges Social Media is Here Control Your Message or Someone Else Will Cloud-sourcing present Technical And Nuclear- Specific Challenges BYOD is Happening Today - Must Deal with It Opportunities Embrace Social Media to Get You Message Out Directly to Customer and with Great Speed Leverage Cloud as A Part of your IT Strategy to Speed Deployments, Reduce Internal Complexity and Provide Anytime-Anywhere Access where the Fit is Right Seize the Advantages of BYOD

24 What Changes Are We Facing? Cyber Security Regulation and Threats Changing IT Landscape and Expectations Changing Industry

25 What s Going on in our industry Shale Gas Disruption Nuclear Plant Closings Keewaunee - Wisconsin Crystal River - Florida SONGS California Post-Fukushima Mitigations Changing Workforce Demographics

26 What s Going on in our industry New Nuclear Construction Southern Company Vogtle 3 &4 SCANA/SCE&G Summer 2&3 TVA Watts Bar 2 Source: SCANA Corporation INSIGHTS Spring 2013

27 Changing Industry Challenges Gas Prices will Continue To Challenge the Economics of US Nuclear Fleet and Lead to Potential Additional Plant Closings Regulations like for Fukushima and Cyber Security will Apply Additional Financial Challenges Retaining Critical Knowledge and Skills as the Work Force Changes Particularly for Legacy Systems Opportunities Leverage Emerging Technology to: Automate and Improve Ineffective Processes Develop Optimal Solutions to Address Regulations Facilitate Knowledge Transfer and Retentions Attract Best Talent Promote Benefits of New Nuclear Technology

28 Closing So, Is the Glass Half Empty or Half Full? Technology Creates Both the Challenge and the Opportunity We Can Embrace Change, Seize Opportunities or Be Overwhelmed by the Challenges Its Up to Us!