cyber security research needs an energy sector perspective
play

Cyber Security Research Needs- An Energy Sector Perspective Kyle - PowerPoint PPT Presentation

Aug 13, 2023 •939 likes •1.04k views

Cyber Security Research Needs- An Energy Sector Perspective Kyle Hussey, Grant County PUD Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org IT and OT interoperability Observations OT and

  1. Cyber Security Research Needs- An Energy Sector Perspective Kyle Hussey, Grant County PUD Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org

  2. IT and OT interoperability • Observations • OT and IT environments still believe they are Unique • The majority of the attack vectors are not from the form and function of the application or operations the technology performs, rather it is from the inclusion of interconnections and distributed architectures • In order to advance automation and efficiency the once isolated information (data) and operations are now incorporated in the vast world of firmware, OS’s, Databases, Applications, and of course the great vulnerabilities of interconnectivity. • ICS, IOT, and SCADA Vendor Technologies not really developed well enough to play correctly in the TCP/IP world. • Memory control • CPU cycles • Process Isolation • Vulnerability • DDOS protection • Access Controls • Logging/Event analysis cred-c.org | 2

  3. IT and OT interoperability • Technology companies still believe they are isolated from the accountability and criticality of the business world. • Technology vendors are still focused on first to market and feature enhancement, thus leaving open all the vulnerabilities due to unsecure code, bug handling, and dependency on opensource. No good Quality Assurance in products related to Cyber Security. • No accountability or liability for the technology vendor. All major attacks have been found to be the fault of the implementation and or company personnel using the product, even if the vulnerability was due to miss-behaved applications and/or bugs in the software. • Why do we not hold the vendor accountable for flawed or unsecure products. • Ex: Automobile industry crash safety test, recalls, and safety requirements? • Chemical industry label and education warnings. (lawsuits) • Product quality controls, EPA, FDA, FCC, etc…. cred-c.org | 3

  4. IT and OT interoperability • Problems: • OT and IT vendors still fighting for market value by keeping protocols unique and proprietary and not required to conform to standards. • No incentive to develop hardened or secure product by nature. • Regulations and customer demand are slow at best. • IT environments have evolved, by having dedicated specialists in functional areas, where as ICS, OT, IOT, follows the old approach where the system engineer, system admin does everything. • Generates an isolation from interoperability through functional areas of control • IT vendors are not required to build product to the resiliency and standards of OT devices. cred-c.org | 4

  5. IT and OT interoperability • Problems Continued….. • Compliance requirements focus on operational function and not on interconnectivity, thus fueling the isolationist mentality. • CIP-for electric grid, PCI-DSS for banking industry, SOX, HIPPA etc… this creates even further isolated environments. • The irony here is that there are way more commonalities between all the technologies that fall into these operational environments than there are dissimilarities. • Too many standards allow environmental uniqueness • NERC CIP, FERC, FCC, ISO-27001, NIST-800, EC 61858, IEEE, etc…. cred-c.org | 5

  6. IT and OT interoperability • Summary • Focus has been on the uniqueness of every operational environment. • Causes isolated silohs in all industries and a lack of focus on the fundamental attack vectors • The vendors are not being held accountable for vulnerabilities in their product or adherence to a set of basic security measures • Too many requirements that are unique to specified functional areas for the vendors to invest any interest in developing their product to meet everyone's need. • If the market does not demand a set of standards then the vendor will not invest in them. • IT and OT interoperability awareness • Cyber security is everyone's responsibility, not just the IT or OT departments and domains of control continue to be the backdoor for the perpetrator. • KISS • Find the root attack surface, the common framework, and develop governed standards of operation base on those not on the unique functional areas. cred-c.org | 6

  7. IT and OT interoperability • Thoughts /Research needs • Vendor Certification Standards (Across the board for IT, OT, ICS, IOT) • Set a common set of technology minimum standards (ie access control, firmware, OS, application, protocol, hardware). • Focus the certification on the common framework, not the unique function. • Build/Adopt/coordinate a common protocols for baselines of Cyber Security • What this is Not : • Another guideline • Another best business practice • Another compliance regulation based on Industry or function. • What this is • Common set of protocols with specific risk mitigation controls (FCC, IEEE, etc…) • A governing body with authority to enforce and regulate • cred-c.org | 7

  8. IT and OT interoperability Questions ? Contact Information: Kyle M Hussey Grant County PUD khussey@gcpud.org (509)793-1575 cred-c.org | 8

  9. http://cred-c.org @credcresearch facebook.com/credcresearch/ Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber Security in the Energy Sector Douglas DeGrote April 2015 The Importance of Cyber

Cyber Security in the Energy Sector Douglas DeGrote April 2015 The Importance of Cyber

Cyber Security in the Energy Sector Douglas DeGrote April 2015 The Importance of Cyber Security The field of affect has changed More control systems and critical infrastructure is online The ability to cause widespread issues is

103 views • 8 slides
Cyber security Tiered approach to cyber security preparedness in water National Sector

Cyber security Tiered approach to cyber security preparedness in water National Sector

Cyber security Tiered approach to cyber security preparedness in water National Sector What I am Company utilities in the UK going to Water UK good practice cover NIS Directive Dr Jim Marshall, Senior Policy Advisor,

231 views • 4 slides
Cyber Security R&D (NE-1) Trevor Cook Office of Nuclear Energy U.S. Department of Energy NE

Cyber Security R&D (NE-1) Trevor Cook Office of Nuclear Energy U.S. Department of Energy NE

Cyber Security R&D (NE-1) Trevor Cook Office of Nuclear Energy U.S. Department of Energy NE Cyber Security R&D Objectives: To strength security through reduction of vulnerabilities To mitigate the consequences of threats To

51 views • 4 slides
Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security Security Insurance: Security Insurance: Insurance: Insurance: A Montana Perspective A Montana Perspective Presented by: d b Brett E. Dahl,

197 views • 8 slides
Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos

Cyber-Physical System Security Alia Long Advanced Research in Cyber Systems (ARCS) Los Alamos National Laboratory LA-UR-17-27644 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA A Cyber-Physical Model

837 views • 7 slides
New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York

New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York

New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York State Division of Homeland Security and Emergency Services Office of Cyber Security Office of Cyber Security Overview Established as the Office

451 views • 31 slides
(U) Financial Sector Cyber Security UNCLASSIFIED//FOUO UNCLASSIFED//FOUO UNCLASSIFIED//FOUO

(U) Financial Sector Cyber Security UNCLASSIFIED//FOUO UNCLASSIFED//FOUO UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO (U) Financial Sector Cyber Security UNCLASSIFIED//FOUO UNCLASSIFED//FOUO UNCLASSIFIED//FOUO (U) Cyber Event: (U) 15 August Foreign cyber actors targeted a foreign oil company in a large-scale coordinated cyber attack,

435 views • 11 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security Research Scientist Oak Ridge National Laboratory Main Points Information Sharing Enable discovering and sharing information about real threats to

216 views • 6 slides
cyber defence capability: A practitioners perspective Luke Beeson, Vice President Security UK

cyber defence capability: A practitioners perspective Luke Beeson, Vice President Security UK

Building an effective and dynamic cyber defence capability: A practitioners perspective Luke Beeson, Vice President Security UK and GB&FM BT Security 1 BT Security 2 Our History Rethinking the Risk as a Trusted Security Partner BT

141 views • 10 slides
Seminar Series IT and OT, Information Security Architectural and Operational Divides in the

Seminar Series IT and OT, Information Security Architectural and Operational Divides in the

Seminar Series IT and OT, Information Security Architectural and Operational Divides in the Energy Sector Cyber Resilient Energy Delivery Consortium (CREDC) Mark Guth Manager Corporate Security Critical Infrastructure Compliance March 13,

230 views • 22 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University of Hong Kong Cyber-security for industry 4.0 conference 23 June, 2017 1 Will the followings only be seen in movies? Movies: Cyber

510 views • 28 slides
BiH Energy Summit - Key Messages - The Path th to a Sustainable Energy Sector Energy security

BiH Energy Summit - Key Messages - The Path th to a Sustainable Energy Sector Energy security

BiH Energy Summit - Key Messages - The Path th to a Sustainable Energy Sector Energy security Environmental Energy sustainability affordability The Path th to a Sustainable Energy Sector Voting results How do you see the energy

509 views • 21 slides
Digital Upg pgra rades des and nd Cyber Security An Industry Perspective John Connelly

Digital Upg pgra rades des and nd Cyber Security An Industry Perspective John Connelly

Digital Upg pgra rades des and nd Cyber Security An Industry Perspective John Connelly Engineering Manager Capital Projects Exelon Generation Company December 17, 2015 1 Industry Pe Perspec ecti tive Our shared goal is safe and

223 views • 9 slides
An Update from Washington: Whats Happening in the World of Cyber Security and Critical

An Update from Washington: Whats Happening in the World of Cyber Security and Critical

Homeland Security Advanced Research Projects Agency An Update from Washington: Whats Happening in the World of Cyber Security and Critical Infrastructure Douglas Maughan Division Director November 12, 2014 http://www.dhs.gov/cyber-research

489 views • 31 slides
Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course Introduction CSU Cybersecurity Center Computer Science Dept 1 1 Wish we were there! 2 About the course Quantitative and algorithmic view of

1.03k views • 32 slides
Fatiguing Data to Protect against Cyber Security Extortions: A counter- intelligence methodology

Fatiguing Data to Protect against Cyber Security Extortions: A counter- intelligence methodology

Fatiguing Data to Protect against Cyber Security Extortions: A counter- intelligence methodology Dr. Anthony Vincent . B Assistant Professor, Department of Computer Science Kristu Jayanti College (Autonomous) K. Narayanapura, Kothanur(PO),

539 views • 8 slides
Managing Cybersecurity Risk in the Digital Age Workshop - 29 May 2019 1 Admin Program 1.

Managing Cybersecurity Risk in the Digital Age Workshop - 29 May 2019 1 Admin Program 1.

Managing Cybersecurity Risk in the Digital Age Workshop - 29 May 2019 1 Admin Program 1. Overview of entire day course (1 hr) 2. Discussion on specific needs of participants (course will be tailored to suit the majority of participants)

1.09k views • 76 slides
CYBER SECURITY FOR NON-TECHNICAL EXECUTIVE Cor Corpor porate O te Over erview view AT-NET

CYBER SECURITY FOR NON-TECHNICAL EXECUTIVE Cor Corpor porate O te Over erview view AT-NET

CYBER SECURITY FOR NON-TECHNICAL EXECUTIVE Cor Corpor porate O te Over erview view AT-NET Services offers comprehensive engineering services for the life cycle of your system; design, build, secure and manage CYBER SECURITY FOR

873 views • 65 slides
Disclaimers My personal views and opinions may not represent the position(s) of my employers.

Disclaimers My personal views and opinions may not represent the position(s) of my employers.

How to stop worrying about Application Container Security (v2) Brian Andrzejewski Information System Security Architect Twitter: @DevSecOpsGeer LinkedIn: https://www.linkedin.com/in/bandrzej Disclaimers My personal views and opinions may

526 views • 24 slides
Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer Science Laboratory SRI International Menlo Park CA USA Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I Compositional Security

466 views • 25 slides
security vulnerabilities and strategies Fabio Patrone Polytechnic School, University of Genoa 1

security vulnerabilities and strategies Fabio Patrone Polytechnic School, University of Genoa 1

Satellite Communications: Cyber security vulnerabilities and strategies Fabio Patrone Polytechnic School, University of Genoa 1 Overview Satellite mission goals, categories, structural subsytems, network architectures, and communication

728 views • 53 slides
Modern Data Management and Governance Benjamin Pecheux Data Management and Governance for Better

Modern Data Management and Governance Benjamin Pecheux Data Management and Governance for Better

Modern Data Management and Governance Benjamin Pecheux Data Management and Governance for Better Crowdsourced Data Applications Adventures in Crowdsourcing Webinar Series FHWA EDC-5 January 28, 2020 Agenda What is data management?

457 views • 20 slides

More recommend