Cybersecurity Leadership How does Dynamic Enterprise Security Governance benefit ICS Security? Christopher A. Peters May 1, 2014
Overview A Perilous Time in Boston during 1775 Fast Forward Today Internal Challenges Leadership-driven Solutions Lessons, Benefits, Take-aways 2
1775: FUD Headlines Lexington Post Paul Revere: The British Are Coming! Boston Intelligencer Extra Battle of Bunker Hill Rages Patriots Hold Fire Until Whites of Eyes Seen 3
Boston 1775: Situation Dire Washington Howe 4
Boston 1775: The Paradigm Shift Fort Ticonderoga Washington Turns to Henry Knox 25 Years Old Former Street Fighter Boston Book Seller Paradigm Shifter Guns of Ticonderoga Boston Moves 59 Pieces of Artillery - 300 Miles - to Dorchester Heights Middle of the Winter! 5
Boston March 1776: British Evacuate! We must acknowledge two additional considerations that are significant as multipliers of combat power: SURPRISE and BOLDNESS MCDP-1 Warfighting 6
2014 FUD Headlines
A Big Company with Big Challenges 15,500 miles of Transmission Lines 1,800 Substations 82 Fossil Units 11 Nuclear Units 30,000 MW of Generating Capacity 2.7 Million Customers 2 nd Largest Provider of Nuclear Power in the US 8
Enterprise Security Governance To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance.* WE NEEDED TO ENHANCE OUR CYBER GOVERNANCE Elevate Executive Awareness Comprehensive Strategy Workforce and Vendor Management Long-term Capital Planning Technology Alignment Across the Enterprise Regulatory Excellence Building Accountability IN OTHER WORDS. WE NEEDED TO BE BETTER LEADERS! 9 * Carnegie Mellon University
Problems Problems: 85% of people don t care that you have problems at your company; the other 15% are glad you have them Lou Holtz * WE ALL HAVE PROBLEMS THAT REQUIRE SOLUTIONS! 10
Problem #1: Asymmetric Threats Put simply, asymmetric threats or techniques are a version of not "fighting fair," which can include the use of surprise in all its operational and strategic dimensions and the use of weapons in ways unplanned by the United States. Strategy that fundamentally alters the terrain on which a conflict is fought. 11
Problem #2: Multiple Regulations Impossible to Govern in Silos Single Version of the Truth is Essential! Cost Technology Performance Compliance 12
Problem #3: Geographically Dispersed ICS Silos Energy Delivery Fossil Generation Systems Planning and Operation (SPO) Entergy Wholesale Commodities (EWC) Nuclear Business unit responsible for the transmission and distribution system of the Entergy operating companies. Business unit which operates and supports 89 Entergy fossil and hydro generating units. Business Unit responsible for dispatching generation, acquiring fuel, and procuring resources to meet Entergy s needs. Business Unit responsible for the functions and assets of Entergy's non-utility generation business. Business Unit responsible for operating 11 reactors in 9 locations across Entergy s Northeast and Southern locations. 13
The best way to predict the future is to create it. Peter Drucker Questions? 14
Strategy Design Enhance Governance and Oversight Centralize CIP, OT, and IT Capital/O&M Planning Connect the Business Establish Command and Control Build the Cross-Functional Cybersecurity Team Strengthen the Culture Implement Continuous Monitoring 15
Leadership Objective #1: Take Action We don t have a 5 Year Plan; we have a 5 minute Plan! 16
Leadership Objective #2: Keep it Simple 17
Leadership Objectives #3 and 4: Operate in the Fog and Drive Solutions Cyber Fog: Learn to minimize the impact! 18
Solutions and Benefits
1. Connect the Business Transmission Generation Systems Planning Entergy Wholesale Nuclear Forge Connections Reduce Friction Address Corporate-wide Operational Risk Issues Make Decisions 20
2. Strengthen Cyber Security Governance Oversight Structures OCE (especially CFO and COO, and EVP, HR&A) Reliability Oversight Committee Corporate Compliance Committee Information Technology Advisory Council Cyber Security Leadership Team Management VP, Chief Information Officer Director, Corporate IT Security VP, Critical Infrastructure Protection Director, Corporate Security Functional Cyber Security Oversight Committees Workforce Transmission System Planning and Operations Fossil Nuclear Entergy Wholesale Commodities Single View Technology Finance Awareness Compliance Policies and Procedures Laws and Regulations 22
3. Build a Cross-Functional Team NIST SP 800-82 Securing Industrial Control Systems New Capabilities to Augment Existing Personnel Executive Leadership Operational IT Management Internal / External IT Audit and Advisory experience Broad-based industry experience The 360 View Utilities, Oil and Gas, Healthcare, Department of Defense, Fortune 500 Manufacturing, Banking, Telecommunications, Nuclear Multiple Frameworks COBIT, COSO, NIST, HIPAA, ITIL, ISO, GAAP Human Capital Planning is Critical to Success! 22
4. Strengthen the Culture Culture of Security, Leadership, and Compliance Office of the Chief Executive Briefings Cross-Business Unit Awareness Webinars Briefings with the Entergy Chief Operating Officer Training Public-Private Partnership Participation Encourage Tactful Dissent 23
5. Establish Command and Control Inventories Situational Awareness Executive Reporting Decision Making Trend and Causal Analysis Regulatory Status Capital and O&M Spending Threat Management and Status Monitoring Technology Deployment 24
6. Information Sharing Nuclear Energy Institute (NEI) Edison Electric Institute (EEI) North American Transmission Forum (NATF) Electric Power Research Institute (EPRI) ES-ISAC Intelligence Community Law Enforcement Louisiana Fusion Center Homeland Security 26
7. Monitor Our Security and Compliance State Programs to assess the effectiveness of our controls NIST 800-137 Penetration Testing NERC CIP Cyber Vulnerability testing Readiness Assessments Internal Audit General IT Controls Testing Identify and Remediate gaps, vulnerabilities, and weakness Remediate Implement Security Controls Assess Monitor 27
Benefits Senior Executive Engagement Informed Decision Making 5 Year Capital Plan Improved Efficiency and Performance Strengthened Entergy and Vendor Workforce Rapid Reaction to Change Enhanced Cyber Protections through Technology Roadmapping Lessons Learned Senior Executive Leadership is Essential! 3 Types of People to Get On the Bus Action Oriented Operate in the Fog Work Across Multiple Organizations Tap the Existing Talent Pool Fundamentals are King Think Enterprise Leadership Takeaways Take Action Operate Seamlessly in the Fog Keep it Simple Drive Solutions Last Word: Never underestimate the impact that effective leadership has on the security state of your organization 29