Energy Cybersecurity Regulatory Brief

Similar documents
What Risk Managers need to know about ICS Cyber Security

Verve Security Center

future data and infrastructure

67% 61% STATE OF CLOUD SECURITY BULLETIN. Information Security in the Energy Sector. Summer 2013 FROM APR SEP 2012

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

SCADA Security: Challenges and Solutions

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Cyber Security and Privacy - Program 183

Redefining Incident Response

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

How Secure is Your SCADA System?

N-Dimension Solutions Cyber Security for Utilities

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Combating a new generation of cybercriminal with in-depth security monitoring

Carbon Black and Palo Alto Networks

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

LogRhythm and NERC CIP Compliance

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

RESILIENCE AGAINST CYBER ATTACKS Protecting Critical Infrastructure Information

POLICIES TO MITIGATE CYBER RISK

The Importance of Cybersecurity Monitoring for Utilities

Incident Response. Six Best Practices for Managing Cyber Breaches.

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response.

Securing the endpoint and your data

Getting real about cyber threats: where are you headed?

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Attachment A. Identification of Risks/Cybersecurity Governance

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

The Four-Step Guide to Understanding Cyber Risk

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Hacking the Industrial SCADA Network II The Latest Threats to Automated Production and Process Management Networks

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

How To Secure Your System From Cyber Attacks

Protecting Organizations from Cyber Attack

NERC-CIP S MOST WANTED

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

DeltaV System Cyber-Security

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

KEY STEPS FOLLOWING A DATA BREACH

Microsoft s cybersecurity commitment

SECURITY CONSIDERATIONS FOR LAW FIRMS

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

SANS Top 20 Critical Controls for Effective Cyber Defense

Incident Response. Proactive Incident Management. Sean Curran Director

How To Protect Your Business From A Cyber Attack

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

What is Cyber Liability

Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

Breach Found. Did It Hurt?

Fighting Advanced Threats

Securing OS Legacy Systems Alexander Rau

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Industrial Security Solutions

CyberArk Privileged Threat Analytics. Solution Brief

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

Security and Privacy

Global Corporate IT Security Risks: 2013

Ovation Security Center Data Sheet

Into the cybersecurity breach

Cyber security: Practical Utility Programs that Work

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Ovation Security Center Data Sheet

WHITE PAPER PROTECTING OUR CRITICAL UTILITIES WITH INTEGRATED CONTROL SYSTEMS PROTECTING OUR CRITICAL UTILITIES WITH INTEGRATED CONTROL SYSTEMS

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

NERC CIP Compliance with Security Professional Services

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

The State-of-the-State of Control System Cyber Security

Critical Controls for Cyber Security.

Cisco Advanced Malware Protection

CYBERSPACE SECURITY CONTINUUM

Data Security Concerns for the Electric Grid

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Transcription:

Energy Understand the regulations that impact the energy industry and accelerate information security initiatives.

Contents Overview 3 A Highly Vulnerable Energy Industry 4 Key Regulations to Consider 5 Cybersecurity Management 5 Energy Organization Management 6 Risks 7 How AccessData Can Help 8 Benefits to Energy Organizations 9 Contact/Sales Information 10 2

Overview The energy industry is among the largest and most important industries in many industrialized nations. Of the ten largest companies in the world, seven are energy producers and/or related providers 1 ; in the United States, four of the Fortune 500 top ten are energy-related companies 2. The electrical infrastructure in the United States is valued in excess of $1 trillion in assets, with roughly 1,075 gigawatts of generating capacity and more than 200,000 miles of transmission facilities. The United States has 3.273 traditional electric utility power plants and 1,738 non-utility power producers 3, as well as more than 100 oil companies. As of 2012, there were more than 43 million smart meters in use in the United States, most of which were in residential installations 4. The energy industry in the United States employs approximately 600,000 people and accounts for annual sales of more than $500 billion. Because the energy industry possesses so much highly confidential and proprietary information and is integral to the health and vitality of the economies in which it operates, it represents an enormous target for cybercriminals. While energy companies need to adhere to a growing body of regulations focused on maintaining records and managing their business properly, the more immediate issue and one that represents an imminent threat is protecting the security of the wide range of assets that energy and related companies operate. This includes protecting against everything from malware that might enter the utility grid through a smart meter to government-sponsored cyberattacks designed to shut down nuclear power plants. FACT: Web drive-by downloads and spear-phishing are often the initial intrusion points. 5 Learn more 3

A Highly Vulnerable Energy Industry The energy industry presents unique attributes that make it more vulnerable than others to cyberattack. In fact, one source found that two-thirds of energy companies had experienced some form of brute force attack twice the percentage of companies in other industries 5. Examples of areas of vulnerability include: FACT: 61 percent of energy and utility executives consider security to currently be a big problem for the smart grid and 64 percent believed that the grid is not prepared for security threats 6. 1. Abundance of Potential Ingress Points There are millions of potential ingress points for malware, hacking attempts and other incursions from legitimate employee use of the internet for normal day-to-day business activities, to the prevalence of BYOD and contractor access. 2. Vulnerable Smart Grid The existing smart grid technology had originally been developed with the intention that it would stand apart, in locked industrial site and control centers making it unavailable to outside tampering. Those parameters have changed and now connecting that legacy technology to current technology opens it up to all kinds of hacks. But who is doing the attacking? It might not be what you think. PWC found that while attacks backed by nation-states are making the headlines, utilities are more likely to be hit by other outsiders including 7 : Hackers Competitors Activists/activist groups/hacktivists Organized crime Terrorists Foreign entities/organizations Foreign nation states 4

Key Regulations to Consider There are a number of regulations focused on the energy industry that decision makers need to consider in the context of managing their business, but more importantly protecting themselves and their customers from the growing threat of cyberattack. Cybersecurity Management In the United States, the only industry that has mandated enforceable cybersecurity standards is the electric power industry, which includes the nuclear power industry. These standards are embodied in the Critical Infrastructure Protection (CIP) standards, which were developed by the North American Electric Reliability Corporation (NERC), and address the security of cyber assets essential to the reliable operation of the electric grid. The CIP standards impose a number of requirements on companies in the energy space, including: CIP-003-1 requires companies to develop and maintain security management controls to protect critical network and other assets. CIP-005-1 requires the development of an Electronic Security Perimeter that must disable unnecessary ports and services, monitor and log access on a 24x7 basis, perform vulnerability assessments at least once each year, and document changes in the network. CIP-007-1 requires that network and system events be monitored using automated systems, and that alerts be sent to individuals managing the systems. Additional requirements include that only necessary ports and services are enabled (R2), that anti-malware capabilities are used (R4), and that the risk of unauthorized access be minimized (R5). CIP-009-1 requires that a disaster recovery plan should be developed and that it be tested at least once a year. FERC was enabled by the Energy Policy Act of 2005 to oversee the reliability and security of the US electrical grid. While the primary intent of FERC was the reliability of the grid, FERC has increasingly focused on cybersecurity. In September 2012, FERC established the Office of Energy 5

Infrastructure Security (OEIS), the focus of which, among other things is to develop recommendations for identifying, communicating and mitigating potential cyber and physical security threats and vulnerabilities to FERC-jurisdictional energy facilities using the Commission s existing statutory authority, and to provide assistance, expertise and advice to other federal and state agencies, jurisdictional utilities and Congress in identifying, communicating and mitigating potential cyber and physical threats and vulnerabilities to FERC-jurisdictional energy facilities. 8 The Nuclear Energy Institute has developed a comprehensive cybersecurity program for the protection of nuclear power plants. This program was adopted by all US nuclear power plants in 2006 and all of them had implemented the program two years later 9. US nuclear power plants have implemented various protections against cybersecurity threats, including controls over how portable devices are used, isolation of critical control systems using air gaps or hardware-based isolation solutions, improved employee training, employee monitoring, and robust change management procedures. The US Department of Energy issued Cybersecurity Procurement Language for Energy Delivery Systems in April 2014 10. This document, while not defining specific regulations, offers a set of useful guidelines for energy-related companies to use when procuring new equipment. Executive Order 13636, Improving Critical Infrastructure Security, provides a framework for improving the security of key elements of the national infrastructure, including communications, water systems and energy. The goal of the Order includes promotion of better cybersecurity practices, development of a framework for technology-neutral cybersecurity, and improved sharing of threat information Energy Organization Management FERC Order No. 717 This order imposes a number of rules on regulated and vertically integrated utilities. Its goal is to create an ethical wall between the marketing and transmission functions of vertically integrated companies that distribute natural gas and electricity between states (the No-Conduit rule). FERC 717 makes it necessary for these companies to manage 6

their communication in such a way so that they do not give preferential treatment to their affiliates. A key element of this order is that all communications between transmissionrelated and marketing-related employees of a vertically integrated provider must be retained for long periods of time. FERC Part 125 Published under the Federal Power Act and Natural Gas Act, this ruling mandates specific retention periods for records that are maintained by public utilities and their affiliated companies. For example, stockholder-related meeting minutes must be kept for five years, procurement agreements must be retained for six years, and plant ledgers must be kept for 25 years. Risks The risks of cyberattack in the energy industry are enormous and are by no means a new phenomenon, as illustrated by the following examples: Of the 200 or so hacking incidents investigated by the US Department of Homeland Security cybersecurity team in 2013, more than 40% of them were directed against energyrelated assets. Underscoring just how vulnerable the US electrical system has become, a US federal government analysis that was revealed in March 2014 found that disabling only nine of the 55,000 transmission substations could initiate a widespread blackout in the United States 11. The results of a poll published in MIT Tech Review found that 70% of individuals focused on critical infrastructure report that their Supervisory Control and Data Acquisition (SCADA) systems are at high or severe security risk 12. A report from early 2009 discussed the fact that Russian, Chinese and other hackers had successfully penetrated the US electrical grid and were able to install malware within power grid systems13. In a 2013 report, one electric utility reports that it endures roughly 10,000 attempted cyber intrusions on a monthly basis 14. In 2012, Saudi Aramco was attacked by hackers who were able to infect 30,000 of the company s computers with the What s at Stake? Public and customer trust Energy reliability Reputation Regulator scrutiny Competitiveness 7

Shamoon worm. Although gas and oil production was not disrupted, the company s networks were brought down by the attack 15. The Stuxnet worm, first discovered in June 2010 and most likely a US and Israeli attempt to disrupt the Iranian nuclear program, clearly demonstrated that worms and related types of malware can successfully infiltrate programmable logic controllers or other types of hardware and cause significant damage. One source estimated that 20% of Iran s centrifuges were destroyed by Stuxnet 16. The importance of Stuxnet in the context of potential power plant, oil refinery and other energy-related security should not be underestimated. Not only can this type of malware alter the operation of key control systems with potentially disastrous consequences, a Stuxnet-like worm has already done so. In October 2012, a contractor at a US power plant accidentally infected a turbine control system with a worm delivered via a USB drive and took the power plant offline for three weeks 17. How AccessData Can Help AccessData s ResolutionOne Platform integrates network, endpoint and malware analysis, threat intelligence and remediation capabilities into a single solution that doesn t just deliver rapid detection and response; it delivers Continuous Automated Incident Resolution. ResolutionOne enables your organization to: Immediately identify when a sensitive data leak is occurring so you can quickly resolve the issue. Fully integrate with existing security infrastructure such as SIEMs, next-generation firewalls, alerting tools, monitoring solutions - to reduce the time it takes to identify critical security incidents and get the most out of your existing investments. Automate manual processes to free up valuable resources and focus on more business critical tasks. Cull through the noise in order to quickly confirm and prioritize true threats. The ResolutionOne Platform from AccessData, as well as AccessData s solutions portfolio, can help energyrelated organizations to understand how information flows within an organization and across its network of Business Associates. 8

Benefits to Energy Organizations Dealing with highly focused and highly skilled attackers who perpetrate sophisticated incursions into the energy infrastructure, requires a robust and integrated set of capabilities. AccessData s offerings can be used to detect cybercriminal activity and respond quickly to suspicious behavior and resolve the issue at hand. Benefits include: Identify suspicious binary files based on their unusual behavior even in the absence of signatures that have been designed to detect known malware. Isolate and examine suspect code without the use of sandboxing, dynamic analysis or traditional heuristic analysis. Determine the presence of malware and whether or not it has already executed on infected machines. Monitor and analyze the behavior of mobile devices that are used by employees. Automate the malware triage process and quickly identify, isolate and remediate cyberattacks, malware incursions, data leaks and other threats more quickly than is possible with manual processes. Measure your security team s efficiency with key performance indicators embedded within the platform, such as Mean Time to Validate (MTV) and Mean Time to Respond (MTR). Automate the process of malware triage. Identify, isolate and remediate cyberattacks, malware incursions and other threats more efficiently than contemporary manual processes with the ResolutionOne Platform. References 1 http://fortune.com/global500/royal-dutch-shell-plc-1/ 2 http://fortune.com/fortune500/wal-mart-stores-inc-1/ 3 http://www.dhs.gov/energy-sector 4 http://www.eia.gov/tools/faqs/faq.cfm?id=108&t=3 5 http://www.microsoft.com/security/sir/glossary/drive-by-download-sites.aspx 6 http://www.securityweek.com/energy-sector-higher-risk-brute-force-attacks-and-malware-threats-report 7 http://smartgridinsights.com/standard/infographic-2014-smart-grid-cybersecurity-survey/#sthash.hw4vkgfk.dpuf 8 PWC, Power & Utilities Key findings from The Global State of Information Security Survey 2014 9 http://www.ferc.gov/eventcalendar/files/20120920100740-oeis-news-release.pdf 10 http://www.nei.org/corporatesite/media/filefolder/backgrounders/policy-briefs/cyber-security-regulation-strictly-regulated-by-nrc-march-2014.pdf?ext=.pdf 11 http://energy.gov/sites/prod/files/2014/04/f15/cybersecprocurementlanguage-energydeliverysystems_040714_fin.pdf 12 http://fcw.com/articles/2014/04/29/doe-releases-cyber-procurement-guidelines.aspx 13 http://www.businessinsider.com/nations-had-electric-wmd-for-years-2013-2 14 http://online.wsj.com/news/articles/sb123914805204099085 15 http://www.theregister.co.uk/2013/05/23/us_power_grid_cyber_attack_report/ 16 http://www.theregister.co.uk/2012/12/10/saudi_aramco_shamoon_inquest/ 17 http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11 18 http://www.matthewaid.com/post/40779484987/stuxnet-type-virus-disabled-u-s-utility-last-fall 9

Learn more about how AccessData can help accelerate information security initiatives at http://accessdata.com AccessData Group makes the world s most advanced and intuitive incident resolution solutions. AccessData technology delivers real-time insight, analysis, response and resolution of data incidents, including cyber threats, insider threats, mobile and BYOD risk, GRC (Governance Risk and Compliance) and ediscovery events. Over 130,000 users in law enforcement, government agencies, corporations and law firms around the world rely on AccessData software to protect them against the risks present in today s environment of continuous compromise. AccessData is a registered trademark of AccessData Group. ResolutionOne is a trademark of AccessData Group. 2014 AccessData Group. All Rights Reserved. GLOBAL HEADQUARTERS +1 801 377 5410 1100 Alma Street Menlo Park, CA 94025 USA NORTH AMERICAN SALES +1 800 574 5199 Fax: +1 801 765 4370 sales@accessdata.com INTERNATIONAL SALES +44 20 7010 7800

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information