Critical Infrastructure The Honorable Branko Terzic Confidential. - - PowerPoint PPT Presentation

The Honorable Branko Terzic

Confidential. Please do not circulate outside your organization without permission.

TeleGroup INFOSEC Cyber Security in Energy

Critical Infrastructure

Speaker:

• Dr. h.c. Branko Terzic

Managing Director Berkeley Research Group LLC and Senior Fellow, Atlantic Council Distinguished Fellow, Council on Competitiveness Former:

• Commissioner, US Federal Energy Regulatory Commission
• Commissioner, Wisconsin Public Service Commission
• Chairman President and CEO of Yankee Energy System, Inc.

B.S. Energy Engineering and Doctor of Sciences in Engineering from The University of Wisconsin – Milwaukee

• Former Chair, United Nations ECE Expert Group on Cleaner

Electricity Production

Biography

2

Headlines

• “As Cyber Threats To The Electric Grid Rise, Utilities

And Regulators Seek Solutions” (Forbes, Jan 2017)

• “Why utilities say grid security is the most pressing

sector issue of 2017” (Utility Dive, April 2017)

• “Federal assessment finds ‘gaps’ in preparation for

electric grid attacks” (The Hill, May 2018)

• “DOE unveils 'integrated strategy' to reduce utility

cyberthreats” May 2018

• “Senators Want Dumber Tech For Energy Grid

Cybersecurity” (Next Gov, March 2018)

Basic Security Concepts

• Step 1: Define security policy
• Step 2: Define processes
• Step 3: Choose and implement technology
• Sep 4: Document

5

TECHNOLOGY CONVERGENCE CREATES THREAT EXPOSURE

6

THREAT LIKELIHOOD VS. CONSEQUENCES AND LITIGATION

Threats and Litigation Opportunities:

• Utility Grid and Infrastructure has become more “Red” in recent years due to nation state threats
• Damages include loss of life or major GDP centers (e.g., almost lost Silicon Valley power for 28 days)
• Utilities need to seem proactive to contract firmly and litigate against cost over-runs or face future

budget disapproval or corporate reputational risk

U.S Department of Energy Cybersecurity Capability Model

Ten Core Domains (Competencies) (1) Risk Management; (2) Asset, Change, and Configuration Management; (3) Identity and Access Management; (4) Threat and Vulnerability Management; (5) Situational Awareness; (6) Information Sharing and Communications; (7) Event and Incident Response, Continuity of Operations; (8) Supply Chain and External Dependencies Management; (9) Workforce Management; and (10) Cybersecurity Program Management

Cyber Technology Limitation

• Cyber security technology by itself,

however, can only partially address the issue of cyber threats.

• Energy utilities also need to deploy the

proper organization and processes in

• rder to supplement the impact of cyber

security protection technologies.

Harmonize Controls To create Unified Control Framework

Establish Governance Implement Remediation Actions Assess Existing Implementation

• f Controls

NIST

Energy Utility Operations & Security Lifecycle

Not an event, evolving to a way of business

Tailor Controls to determine correct baseline Moderate

NERC NRC/N EI Local DHS ITIL CobIT SOX ASIS ANSI/ISA IEEE Plan Remediation Activities & Tools

Assessment Focus Future Focus

R E F E R E N C E P R O J E C T S

Energy Infrastructure Security

Three Areas of Concern

• Regulatory and Legal Compliance
• Physical Security
• Cyber Security

Regulatory Compliance

• In the U.S. there are FERC and NERC

Critical Infrastructure Protection (CIP) program requirements. All energy companies need to have:

• Assessment and implementation
• Security awareness and training
• Established Security policy
• Periodic regulatory change reviews
• Asset management security segregation

Regulatory Compliance

• Establish security governance protocol
• Security program engagement teams
• Security engineering and operations
• Security project management and
• versight
• Chief Information Security Officer (CISO)

responsibilities

Regulatory Compliance

• Operational Technology (OT) oversight

programs

• OT cyber security programs
• Compliance programs for IT and OT
• Insurance industry interaction and

advisement

Physical Security

• Physical security requires a robust security

environment which includes action in areas of:

– threat and vulnerability assessments, policy and procedure review and development, – security audits, – security training, and – security master planning

Vulnerability assessment and

• perations impact
• Physical failure
• Weather and natural disaster service denial
• Local sabotage

Telecommunications system protection

• Key relay communication circuits to control

center communications

• Power line carrier
• Leased communications lines
• Microwave
• Fiber optic
• GPS signaling
• Secure video

Physical Security Upgrade support

• Surveillance and video
• Physical access control and identification

technology

• Integration into Security Operations Centers

(SOC)

• Physical security oversight of Engineering

Procurement and Construction (EPC) vendors

• Development of Less Than Lethal response
• ptions
• Law Enforcement interaction

Cyber Security

• Requires strategy, planning,

implementation, and ongoing support stages.

• Information security continuous monitoring
• Continuous diagnostic & mitigation
• Privacy program
• Risk management and cyber risk program

Cyber Security Operations and Threat Management

• Cyber security monitoring
• Cyber security incident response
• Threat intelligence
• Risk assessments and penetration testing
• Insider threat

Cyber Security

• Security authorizations
• External/Internal communications
• External/Internal cyber security

engagements

– UNITE (Utility Information Technology Benchmark) – SEWG (Senior Executive Working Group) – Other industry/sector engagements – Coordination with Government Agencies

Sample Energy Industry Guideline

Form Cyber Security Team Identify Critical Digital Assets Apply Defensive Architecture Address Security Controls

1. Address each control for each CDA 2. Or, apply alternative measures 3. Or, explain why a control is N/A

Cybersecurity is not an external review. Cybersecurity needs to be an integral part of the culture of the business as it is an essential part of the uninterrupted delivery of service to customers which is the business of the energy company.

Branko Terzic Managing Director Berkeley Research Group LLC bterzic@thinkbrg.com Mobile (703) 919-0164

22