Cedric Leighton, Colonel, USAF (Ret) Founder & President, Cedric Leighton Associates
What is Cyber Security? The First Cyber Attack The Threat Landscape The Energy Industry as a Target The Legal & Regulatory Landscape Possible Policy Solutions The Paucity of (Real) Technical Solutions Securing the Energy Infrastructure
The effort to secure the Internet from entities that seek to harm it or its users The implementation of standards to protect the Internet and its users A program or programs designed to mitigate the threat posed by hackers against a specific IT network or specific entity using the Internet
Not a rigid, dogmatic set of rules Not a panacea Not something the Government can do by itself Not something Private Industry can do by itself But.
Requires an All-In approach Government & Private Sector Partnerships based on Trust With Flexible, Evolving Rules, and A workable Cyber Security Strategy
When was the First Cyber Attack?
Explosion was 1/7 the size of the Atomic Bombs used in Hiroshima & Nagasaki Could be Seen from Space Utterly Destroyed Large Section of Trans-Siberian Oil Pipeline Soviet Union lost $8 Billion in Annual Oil Revenue
It began with a Defector codenamed Farewell KGB Colonel Vladimir Vetrov Led KGB section that stole Western Technology Hated Soviet life Gave French Intelligence 4,000 page document detailing Soviet Industrial Espionage in the West French President Mitterrand shared with President Reagan
CIA discovered the Soviets wanted Western Computer Technology to run Trans-Siberian Pipeline Automate Pipeline Control Mechanisms Compressors, Valves, Storage Facilities Asked US for Software; Turned Down Bought from Canada, but with Modifications
Canadian software to run Pumps, Valves & Turbines Programmed to Fail Reset Pump Speeds & Valve Settings to Raise Pressure far beyond Tolerances Pressure too great for Welds & Joints Result: Monumental Explosion
In 1982: The Internet hardly existed; negligible Traffic Volume In 1990: 1000 Gigabytes of data travelled via the Internet per month Today s Traffic Volume: 27 Billion Gigabytes per month 5 Billion Different Devices will soon be connected to the Internet And then there s Malware
Hacktivists Cyber Criminals Other Non-State Actors State Actors
Anonymous; Lulzsec Politically Motivated; Anarchic Philosophy Stratfor Hack Ohio Rape Case Visa, MasterCard, PayPal Primary Method: DDoS (Distributed Denial of Service) Attacks Overwhelms Targeted Servers with more Traffic than they can Handle
Motivation: Financial Russian & East European Criminal Gangs Dominate Credit Card Number Theft Value of a Credit Card Number: $2.50 Identity Theft Cyber Ransoms Cyber Underworld = Criminal Underworld
Targeted 30 US Banks Using 100 Botnets Botnets: Computers that are taken over by a third party; used to attack other computers Some people participate willingly; most do not All you need to do is download Malware to become a Botnet Goal: Attack US Banks before they implement Two-Factor Authentication Stole at least $5 Million (and that was before Blitzkrieg really started)
Part of the People s Liberation Army s Intelligence Directorate Targets: US and North America; other English-speaking Countries Mission: Get as much Intellectual Property as possible Map Target Networks Find Vulnerabilities in Critical Infrastructure
Stole Intellectual Property from Nortel Stayed on Nortel Networks for over 10 years Not noticed at first When discovered, lethargic response Nortel lost out to Chinese competitors Nortel is Bankrupt Stole Blueprints for the F-35 Joint Strike Fighter from Northrop Grumman Stole Plans for Wind Turbines Part of a Broader Chinese Strategy
In the US: $500 Billion Annually Globally: $1 Trillion Annually
Target: Saudi Aramco, world s largest Oil Company Secondary Target: RasGas Qatar s 2 nd largest Gas Company Perpetrator: Iran Cyber Weapon: Shamoon Malware Result: 30,000 PC Workstations made useless
Hackers break into SCADA Systems Key Elements of the Nation s Critical Infrastructure are Sabotaged Large Sections of the Country are without Power Social Chaos & Death result
No Comprehensive Cyber Security Legislation Current Legislation not Moving Forward Last Year s Measures Failed Executive Order Designed to Protect Government Cyber Infrastructure NERC and NRC Standards & Rules No Comprehensive National Cyber Security Strategy
Develop a Comprehensive National Cyber Strategy Develop Evolving Minimum Cyber Security Standards & Regulations Pass Comprehensive Cyber Security Legislation to forge Partnership between Government & Private Sector Companies need Liability Protections Cyber Threat Information must be shared in Real- Time Private Partnerships with the Intelligence & Law Enforcement Communities
Many SCADA Systems are Old Security is an Afterthought (at best) Firewalls First line of defense, but can be breached Two-Factor Authentication Ok, but may not be practical for Utilities Encryption Essential, but can it be cracked? The Key: Understanding the Threat & Developing Responses to it
Cannot be done in Isolation Must be a Partnership Federal & State Regulatory Elements Law Enforcement Intelligence Cyber Security Firms Must Incorporate Latest Threat Data in Real- Time We re all on the Front Line now
The Cyber Threat is Real & Growing We must have a Proactive Partnership to Counter it Protecting Infrastructure, Businesses & Consumers is the Goal Businesses and Cooperatives that set the highest Cyber Security Standards will be the Gold Standard
Now it s Your Turn