Cyber Security The Leadership Opportunity for Joint Action Agencies 2013 APPA Joint Action Workshop Doug Westlund N-Dimension Solutions Inc. Cyber Security for the Smart Grid
Cyber Risk Reduction Questions What can individual utilities do? What can Joint Actions Agencies do? What does APPA need to do? What can the states and federal government do? -2-
Discussion Topics Introductions Cyber Security Concepts for Utilities Challenges for Public Power Utilities Opportunities for Joint Action Agencies Q & A -3-
N-Dimension Solutions Cyber Security solutions provider laser focused on the energy market Selected for multi-year DOE project to protect the US grid Member of key standards bodies (NERC, NIST, DOE Labs) Recognitions: Frost & Sullivan Award for Best Practices in Industrial Cyber Security Leader designation by Pike Research and Smart Grid Today Expert witness in FERC and GAO committees HD Supply s cyber security partner Demonstrated success in public power -4-
Strong Supporter of APPA Initiatives Author of Cyber Security Primer available on the APPA web site bookstore Author of four articles published in APPA s Public Power magazine Developed three webinars for APPA s Academy webinar seminar series Presented courses at E&O and National Conferences Selected by Hometown Connections as their cyber security partner -5-
Selected by the American Public Power Hometown Connections Partner Association As stated by the Federal Energy Regulatory Commission, cyber attacks can damage generation and distribution facilities in ways that cause widespread disruption of electric service and undermine our government, economy, and the health and safety of millions of citizens. We selected N-Dimension Solutions Inc. as the official cyber security partner of Hometown Connections because the firm offers a deep knowledge of cyber security, a proven methodology, and a commitment to addressing the unique requirements of public power systems of all sizes. - Tim Blodgett, the President and CEO of Hometown Connections -6-
Cyber Security Concepts for Utilities -7-
Elements of Cyber Security Risks Threat Vectors Vulnerabilities -8-
Four Dangerous and Common Myths 1. Cyber security is only an issue for larger utilities. 2. We re not a target. 3. We have a firewall we re secure. 1. This is an IT issue. -9-
The Philosophy and Culture of Cyber Security A. Security is a process, not a destination. B. Nothing is 100% secure. It s all about managing and mitigating risks. C. A holistic approach is required: i. People ii. iii. Process Technical Security Controls -10-
Challenges for Public Power Utilities -11-
Typical Utility Minimal Risk Points Security Email Web Facebook Basic Internet Security 3 rd parties trusted unpatched systems Flat Network dialup modems shared or default pwds unprotected comms -12-
It s a Continuous And Growing Challenge Advanced Persistent Threats + Increasing Automation + Grid Interconnectedness -13-
Defense-in-Depth: Depth Required by all Utilities Perimeter Protection Interior Security Monitoring Management Processes DOE: Start with the assumption that utility assets will be compromised and then build your defenses from there... -14-
Opportunities for Joint Action Agencies -15-
Opportunities for Joint Action Agencies Participate in the marketing and / or delivery of cyber security solutions to members JAA can be visible in delivering tangible value to members for a very key and pressing issue for utilities and for the APPA Can help to address resource constraints of members Leverage on the strong synergies across JAA s members Cost Group insight capability -16-
Cyber Security Opportunity Categories Technical Services Monitoring Services Managed Services -17-
Cyber Security Technical Services Education Awareness Training Vulnerability Assessments Use of Maturity Model Can expand into penetration testing Development of Cyber Security Plans Development of Cyber Security Programs -18-
Cyber Security Monitoring Services JAA and/or Member Incident Detected! -19-
Cyber Security Hosted / Managed Services Cyber Security Data Corrective Action JAA or Third Party Security Operations Center -20-
Benefits of Proactively Addressing Cyber Security For the JAA and its Members: Increased reliability Revenue assurance Alignment with APPA s RP3 program Demonstrated risk mitigation to assist in improvements in bond ratings and insurance premiums For the Member s Customers: Increased service reliability Cost avoidance and revenue assurance for rate stability Privacy protection -21-
Q & A -22-
Thank You! Contact Information Doug Westlund CEO N-Dimension Solutions Inc. Office: 905.707.8884 x227 Mobile: 416.997.8833 doug.westlund@n-dimension.com -23-
Cyber Risk Reduction Resources APPA Cyber Security Essentials Primer White House/DOE Electricity Sector Cyber Security Capabilities Maturity Model (ES-C2M2) DOE Risk Management Program (RMP) NERC Cyber Security Standards (CIP Version 5) Electricity Sector Information Sharing and Analysis Center (ES-ISAC) Industrial Control Systems Computer Emergency Response Team (ICS CERT) DHS Cyber Security Evaluation Tool (CSET) DHS Physical Security Assessment (PSA) assessment FERC Office of Energy Infrastructure Security (OEIS) (Conceptual) DOE Cyber Incident Management Initiative -24-