Cyber Security Presentation Ontario Energy Board Smart Grid Advisory Committee Doug Westlund CEO, N-Dimension Solutions Inc. October 1, 2013 Cyber Security Protection for Critical Infrastructure Assets
Presentation Topics Introductions Cyber Security Risk and Threats to the Energy Sector Cyber Security Concepts for the Energy Sector Implications for Grid Operators Q & A - 2 -
N-Dimension an industry leader since 2002 2012 award winner for Industrial Cyber Security Smart Grid Fund Recipient 2012 Hometown Connections Partner of the Year Smart Grid Leader Designation Vice chair and principal author of IEEE 1711 NESCO Founding Member Advisory Board for Trustworthy Computing Co-Editor NISTIR 7628 Vol. 3, Chapter 7 2013 Business Award Recipient - 3 -
Cyber Security Risks and Threats to the Energy Sector - 4 -
The cyber threat is escalating -5-
Energy is the most targeted sector Incident Response Activity First Half FY 2013 Results Total attacks are trending up 198 in total FY 2012 204 in first half FY 2013 93, 46% 111, 54% Energy attacks are increasing 82 in total FY 2012 111 in first half FY 2013 Oct 2012 May 2013 ICS-CERT Monitor Oct Dec 2013 ICS-CERT Monitor April Jun3 2013 Many of these (FY 2012) incidents targeted information pertaining to the ICS/SCADA environment, including data that could facilitate remote access and unauthorized operations.. - 6 -
Threat emphasized at leading hacker conferences By Heather Kelly, CNN updated 2:02 PM EDT, Mon August 5, 2013 The five scariest hacks we saw last week Industrial facilities Remote-controlled cars Compromising smartphones The too-smart home Hackers get personal most frightening targets highlighted at the conference. Multiple demonstrations showed just how simple it is to hack energy systems. on an actual oil well, the (mock) hack could result in an environmental catastrophe, according to the researchers. It's possible to shut down an entire industrial facility from 40 miles away There is no built-in system for releasing software patches, like there is with personal computers. - 7 -
All operators are at risk HIGHER Cyber-security resources LOWER Most Vulnerable o Smallest Utilities Impact from Attack o o Largest IOUs Most Impact o Transmission Operators o Generators o Distribution Utilities Other IOUs HIGHER - 8 -
It s a continuous and growing challenge Advanced Persistent Threats + Increasing Automation + Grid Interconnectedness - 9 -
Industry frameworks / standards / regulations Department Of Energy Federal Energy Regulatory Commission Standards Organizations North American Electric Reliability Corporation National Institute of Standards and Technology - 10 -
There is no official solution If I had a cyber threat that was revealed to me in a letter tomorrow, there is little I could do the next day to ensure that that threat was mitigated effectively by the utilities that were targeted. Federal Energy Regulatory Commission Chairman Jon Wellinghoff September, 2012 Source: The Hill - 11 -
Cyber Security Concepts for the Energy Sector - 12 -
Elements of cyber security risks Threat Vectors Vulnerabili*es - 13 -
Dangerous and common myths 1. Cyber security is only an issue for larger operators. 2. We re not a target. 3. We have a firewall we re secure. 4. This is an IT issue. 5. My vendor says that their system is 100% secure. - 14 -
Attack surface and attack vectors Vendors Third Parties Internet Customers External Attack Vectors Utility Enterprise Systems Utility Operations Systems Internal Attack Vectors Advanced Metering Substations Distribution Automation External Attack Vectors - 15 -
Implications for Grid Operators 3 2 1 Insurance Cost to recover vs. cost of protection Rate recovery 5 4 Privacy Regulations / Compliance - 16 -
Cyber security risks are a key insurance issue http://www.insurancejournal.com/magazines/features/2013/08/19/301657.htm 41 percent of large businesses (those with 500-plus employees) believe cyber security risks are greater than other insurable business risks such as natural disasters, 88 percent currently own or plan to purchase cyber security coverage in the near future. Of the 56 percent of respondents that had breaches, the average cost of these incidents was reported at $9.4 million in the last 24 months. Respondents quantified the average potential maximum financial risk of a data breach at $163 million, with some projecting more than $500 million in damages. - 17 -
Recovery cost benchmarks Unlimited 20x Additional costs arising from privacy breaches and other litigation Utility industry cost to recover vs. cost to protect N-Dimension actual data 5x 15% 5% Industry standard cost recover vs. cost to protect Cost to secure as a percentage of total IT investment Industry standard for banking and telecom Cost to secure as a percentage of total IT investment Proven in distribution utilities - 18 -
Rate Recovery NARUC N-Dimension recently presented to NARUC Top Priority Cyber security was one of their top priorities Buy In Discussion of linking cyber security protection to utility rate cases (California leading by example) - 19 -
Privacy issues are front page news Privacy Best Practices 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality Positive-Sum, not Zero-Sum 5. End-to-End Security Full Lifecycle Protection 6. Visibility and Transparency Keep it Open 7. Respect for User Privacy Keep it User-Centric Source: Privacy by Design - 20 -
Security vs. Compliance Utilities are focusing on regulatory compliance instead of comprehensive security. GAO-11-117 NERC CIP standards becoming more pervasive and covering more assets FERC NERC CIP 5 News Release Compliance can easily be achieved as a by-product of an effective cyber security strategy and program - 21 -
Solution = defense-in-depth strategy Identify Isolate Insulate Elements of a Defense in Depth Strategy Electronic security perimeters Monitoring Layered defenses Cyber-resilience Supported by vulnerability assessments and penetration tests People Technology Operations - 22 -
Benefits of comprehensive cyber-security Reliability Less chance of service interruption Revenue Assurance Attack mitigation for core revenue producing assets Risk Mitigation Complies with indemnification requirements - 23 -
Summary All utilities /operators in the energy sector are at risk Doing nothing is not an option It is 5 20 x more costly to recover Defense-in-depth is the goal for operators of all size This is not an IT issue, it is a matter of: Local, provincial, and national security Risk management Revenue assurance for the operator - 24 -
Q & A - 25 -
Thank You Doug Westlund CEO N-Dimension Solutions Inc. Office: 905.707.8884 x227 Mobile: 416.997.8833 doug.westlund@n-dimension.com - 26 -