THE WEBINAR WILL BEGIN SOON CyberSecure: A Virtual Cybersecurity - - PowerPoint PPT Presentation

CyberSecure:

A Virtual Cybersecurity Workshop for Electric Utilities

THE WEBINAR WILL BEGIN SOON

CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities

September 1, 2020

9:00 – 9:45 AM Cybersecurity Awareness Presentation and Video – Exploring the Connection to Utilities and Renewables 9:45 – 10:05 AM Intro of APPA and NRECA Cybersecurity Assessment Tools 10:05 – 10:30 AM Live Demonstration of Assessment Tools: APPA Scorecard and NRECA RC3 10:30 – 11:00 AM Break 11:00 – 12:30 PM Assessment Tool Deep Dive and Q&A

AGENDA

PRESENTER INTRODUCTIONS

BETSEY KIRK MCCALL CHUCK SPEAKS NATHAN MITCHELL CYNTHIA HSU

EVP, MARKET STRATEGY & CORPORATE OPERATIONS SENIOR PROGRAM ADVISOR SENIOR DIRECTOR OF CYBER AND PHYSICAL SECURITY SERVCIES CYBERSECURITY PROGRAM MANAGER

Seven States Power Corporation Intuitive Research and Technology Corporation American Public Power Association National Rural Electric Cooperative Association

DAVE WHITE

FOUNDER AND PRESIDENT

Axio

 We encourage you to ask questions during the webinar by clicking the ‘Q&A’ icon in the Zoom interface.  Participants are muted to minimize sound interference.  Panelists will post some information in Chat; attendees will not be able to post messages in Chat – please use Q&A to ask questions or post comments.  This webinar will be recorded. A copy of the audio and video recording will be available on NRECA’s RC3 website.  In the event of technical difficulty, please rejoin using the same connection information. We will resume the webinar as soon as possible.

WORKSHOP TIPS & TRICKS

Company Private

Cybersecurity in the Public Utilities and Renewables Domain

PRESENTED TO

Seven States Cybersecurity Workshop

PRESENTED BY

Chuck Speaks

1 SEPTEMBER 2020

Company Private

A Little About Us…

21 Years – Technical, Engineering, Aerospace Services Based in Huntsville, AL with Locations Throughout the US Commercial, Government, and Regulated Industries Provides Cybersecurity Services From Enterprise to Edge Tightly Integrated in the Communities We Serve Senior Program Advisor, INTUITIVE 20 Years IT and Cybersecurity Ops and Leadership Commercial, Industrial, and Government Expertise Vice President, Board of Directors – Cyber Huntsville Partner, FBI’s National Defense Cyber Alliance

Company Private

Public Utilities – Growing Number of Stakeholders

Company Private

Public Utilities – Growing Critical Infrastructure

Company Private

Public Utilities – Cyber Risk Through Expanded Threat Surface

Company Private

Public Utilities – Profiles of a Threat

Cyber Criminals

• Typically focused on financial crime
• Fraudulent invoices or gift card

scams

• Seek sensitive data to sell

Hacktivists

• Very public cyber activities
• Website defacement / Denial of

Service Attacks / Nuisance Hacking

• Leak private data for

embarrassment Nation-State Actors

• Quiet, stealth approach
• Advanced persistent threats
• Goal is to seek a way to disrupt,

destroy, or deny utility services

Company Private

Public Utilities – Targets of Opportunity and Design

Company Private

Public Utilities – Threat Tactics

Phishing Reconnaissance Stolen Credentials Vulnerabilities

Company Private

Public Utilities – Identifying Points of Attack

• Websites such as Shodan allow searching for IT and

OT assets exposed to the Internet

• It is easy to find and access assets that are

misconfigured – including industrial control / SCADA systems

Company Private

Public Utilities – Threat Surface of Renewables

• Energy grid was not

designed for bi-directional / uneven generation

• Multiple protocols with

integration needs

• High degrees of automation
• Insecure connectivity
• Bridging operational

networks with enterprise networks

Advanced Metering Systems Distributed Energy Systems Smart Consumer Devices EV Chargers

Company Private

Public Utilities – Relevant Incidents

• Dozen+ Utilities Targeted Near Critical

Infrastructure

– Throughout 2019 FBI tracked hackers targeting local utilities and co-ops – Most were near critical infrastructure junctures, dams, locks, etc – Phishing was main technique – Phishing email emulated a trusted source

• Local Municipality Ransomware

Incidents

– Several incidents in the Seven States footprint – Hackers dwell for weeks or months – Ransom can be in $100,000s – Public data exfiltrated as collateral

• Russia Targeted Utility Contractors

– Goal was to gain access via trusted connections – Sophisticated attack using multiple methods – Phishing campaign to gain access /credentials – “Waterhole” attack on industry websites

“The next Pearl Harbor will be cyber.”

• Sen. Angus King (I-ME)

Company Private

Public Utilities – Challenges

• Lack of Sufficient Budget
• Difficulty Staffing Skilled

Cyber Professionals

• Lack of Visibility into

Operational Technology

Company Private

Public Utilities – Securing a Growing Landscape

Next-Generation Cybersecurity Cyber Test and Evaluation Engineering

+

Company Private

Components of a Professional Cyber Operation

Company Private

Shared Grid Cybersecurity Platform

• Discover and document

information and operational technology assets

• Assess current vulnerabilities
• Actively hunt for threats
• Protect against malware,

ransomware, and phishing

• Perform incident response
• Support current and future

compliance requirements

Company Private

What Does a Shared Approach to Cyber Look Like?

Forensics

Incident Response

Monitoring

Threat Hunting

Anti- Phishing

Threat Intelligence

133 Members in 7 States One Shared Platform. One Shared Staff

Company Private

Benefits of a Shared Approach to Cyber

COSTS STAFFING Risk

Capabilities Compliance Resiliency

Fraction of the cost without any of the staffing issues Higher capabilities and compliance and cyber resiliency

Company Private

Public Utilities – Increased Cybersecurity is Achievable

• Local power companies and co-ops have unique challenges
• Utilities impact the daily lives of everyone in their service footprint
• As a provider of critical infrastructure and processor of customer data,

utilities present a strategic target for different types of cyber criminals By leveraging a model similar to the concept of “mutual aid” utilities can band together to provide robust cybersecurity to their operations

• This shared approach significantly reduces the cost and staffing challenges of

building your own solution

• Protect the information technology and operational systems while ensuring

compliance in an evolving technical and regulatory environment

Company Private

Seven States and Its Partners Can Help – Contact Us

#PublicPower www.PublicPower.org

American Public Power Association’s Cybersecurity Services Program

Department of Energy Award Number DE-OE0000811 Seven States Cybersecurity Webinar September 1, 2020

26

#PublicPower www.PublicPower.org

DOE Cooperative Agreement Overview

• In 2016 APPA partnered with the Department
• f Energy
• 3-year, $7.5M Cooperative Agreement;
• 1 year no-cost time extension Sept. 30, 2020
• 2016-17 – Analysis and Data Collection
• 2017-18 – Deployment and Resource Development
• 2018-20 – Sustainability

27

Acknowledgment: These activities are based upon work supported by the Department of Energy under Award Number DE-OE0000811.

#PublicPower www.PublicPower.org

DOE Cooperative Agreement Overview

Goal: Develop a culture of cyber security within public power utilities. Objective: Engage with public power distribution utilities to understand their cyber security awareness, capabilities and risks. Year 1 Tasks: 1. Cyber security risk assessments 2. Onsite cyber vulnerability assessments 3. Pilot existing and emerging security technologies 4. Improve how we communicate cyber threats

28

Acknowledgment: These activities are based upon work supported by the Department of Energy under Award Number DE-OE0000811.

#PublicPower www.PublicPower.org

About APPA

• APPA Members and Staff:
• Public power median size: 1,977 meters, 14.4% of sales to electric consumers
• APPA has 1,433 utility members; 230 corporate members, 60+ full-time staff includes lobbyists,

engineers, statisticians, lawyers, and other subject matter experts

• Educating Policy Makers:
• Congress, the White House, federal agencies, and the media on public power’s importance and

policy priorities

• Supporting Operations Excellence:
• Mutual Aid, APPA Safety Manual, RP3, eReliability Tracker, eSafety Tracker, Cybersecurity

Scorecard, Funding R&D and providing technical assistance via DEED

• Conferences & Summits:
• Business & Financial Virtual Conference – Sept. 14-15
• Legal & Regulatory Virtual Conference – Oct. 12-13
• Customer Connections Virtual Conference– Oct. 26-27
• Cybersecurity Virtual Summit – Nov. 16-18

29

#PublicPower www.PublicPower.org

Public Power Demographics

Utility Cluster Number of Public Power Utilities Customer Count NERC-Registered Entities Small 1255 0 to 3,995 Average = 1,314 14 Medium 461 4,015 to 408,411 Average = 15,156 88 Large 290 0 to 1,458,330 Average = 49,575 157

Targeting the 750 utilities with ICS on distribution systems 30

#PublicPower www.PublicPower.org

Cybersecurity Scorecard

• 338 public power utilities participating

– (2020 Goal is to reach 500 utilities)

31

#PublicPower www.PublicPower.org

Cybersecurity Roadmap and Regional Shared Cybersecurity Services Model

• Roadmap was published on April 2019

https://www.publicpower.org/resource/cybersecurity-roadmap

• The Roadmap uses the Scorecard output to provide public

power utilities with clear actions to improve their cybersecurity program

• The Cybersecurity Roadmap Advisory Council (CRAC)

contributed to the development of the Roadmap content

• A new Joint Action Agency Advisory Council (JAC-C) is

developing a business model to provide Regional Shared Cybersecurity Services (RSCS) and other resources for their members.

32

#PublicPower www.PublicPower.org

Task 1.10 Incident Response Playbook

Developed a Cyber Incident Response Playbook

• Published August 2019:

https://www.publicpower.org/resource/public-power- cyber-incident-response-playbook

• Modeled after APPA’s mutual aid response network
• Incudes industry Cyber Mutual Assistance (CMA)

program

• Utilities sharing cyber resources and expertise in a

crisis

• Exercised the playbook at Midwest Regional Summit
• n July 24, 2019
• Will be used in GridEx V

33

Acknowledgment: These activities are based upon work supported by the Department of Energy under Award Number DE-OE0000811.

#PublicPower www.PublicPower.org

Additional Cybersecurity Resources

• Cybersecurity Scorecard

– 338 public power utilities

• Cybersecurity Roadmap

– Helps you develop an action plan

• Regional Shared Cybersecurity Services Model

– Guidance for developing key relationships

• Incident Response Playbook

– Cyber Mutual Aid – Shared cyber resources

• Cybersecurity Training

– We bring training to you

• Secure Information Sharing

– Weekly Situation Report – ArmorText Encrypted Channel

34

#PublicPower www.PublicPower.org

Resources page:

www.publicpower.org/gridsecurity

Nathan Mitchell

• Sr. Director of Cyber and Physical Security Services

American Public Power Association 2451 Crystal Dr., Suite 1000, Arlington, VA 22202 Direct: 202.467.2925 nmitchell@publicpower.org

cybersecurity@publicpower.org

35

NRECA’s Cybersecurity Program

Cynthia Hsu, Cybersecurity Program Manager Business and Technology Strategies, NRECA

National Rural Electric Cooperative Association

Renewable Energy

Distributed Energy Resources

https://www.cooperative.com/topics/distributed-energy- resources/Documents/Distributed%20Energy%20Resources%20Over view.pdf

https://www.cooperative.com/topics/distributed-energy- resources/Pages/Distributed-Energy-Resources-Overivew-and-Key- Contacts.aspx

Distributed Energy Resources

Distributed Energy Resources

NRECA’S CYBERSECURITY PROGRAM

“Security is a process,

not a product.”

Bruce Schneier

NRECA’s Cybersecurity Program

• Research and development
• Member Engagement
• Training and speaking engagements
• Cybersecurity Member Advisory Group
• Subject matter expertise to

support other departments:

• Government Relations
• Communications
• Education & Training
• NRECA leadership in the

cybersecurity community:

• DOE’s Cybersecurity Capability

Maturity Model Working Group

• NERC GridEx VI Working Group
• National Academy of Sciences’

Committee on the Future of Electric Power in the U.S.

• National Guard’s Cyber Shield

Exercise

• Speaking events

New Research Project!

MANAGING CYBER SECURITY RISK IN DISTRIBUTED ENERGY RESOURCES (DER)

DER Project Goals: Identify --

• cyber risks that DERs present to the grid;
• types and magnitude of current and emerging cyber

threats and vulnerabilities within DER;

• industry best practices, and recommended solutions and

techniques that address cybersecurity risk within DER environments; and,

• DER cybersecurity technical architectures currently

utilized by utilities.

DER Project Goals: Identify --

• cyber risks that DERs present to the grid;
• types and magnitude of current and emerging cyber

threats and vulnerabilities within DER;

• industry best practices, and recommended solutions and

techniques that address cybersecurity risk within DER environments; and,

• DER cybersecurity technical architectures currently

utilized by utilities.

DER Project Goals: Identify --

• cyber risks that DERs present to the grid;
• types and magnitude of current and emerging cyber

threats and vulnerabilities within DER;

• industry best practices, and recommended solutions and

techniques that address cybersecurity risk within DER environments; and,

• DER cybersecurity technical architectures currently

utilized by utilities.

DER Project Goals: Identify --

• cyber risks that DERs present to the grid;
• types and magnitude of current and emerging cyber

threats and vulnerabilities within DER;

• industry best practices, and recommended solutions and

techniques that address cybersecurity risk within DER environments; and,

• DER cybersecurity technical architectures currently

utilized by utilities.

DER Project Goals: Identify --

• cyber risks that DERs present to the grid;
• types and magnitude of current and emerging cyber

threats and vulnerabilities within DER;

• industry best practices, and recommended solutions and

techniques that address cybersecurity risk within DER environments; and,

• DER cybersecurity technical architectures currently

utilized by utilities.

Develop tools and resources to help small and mid-sized utilities improve their cybersecurity capabilities.

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

IMPROVING THE CYBER AND PHYSICAL SECURITY POSTURE OF THE ELECTRIC SECTOR

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

RURAL COOPERATIVE CYBERSECURITY CAPABILITIES PROGRAM

RC3 CYBERSECURITY SELF-ASSESSMENT

https://www.cooperative.com/programs-services/bts/Pages/Assessing- Your-Cybersecurity-Posture.aspx#hardcopy

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

SELF-ASSESSMENT RESEARCH PROGRAM

I came away from the first day with a hopeless feeling. I thought, as small a co-op as we are, we can’t possibly do this.

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

SELF-ASSESSMENT RESEARCH PROGRAM

I came away from the first day with a hopeless feeling. I thought, as small a co-op as we are, we can’t possibly do this. The second day was totally different. We learned – “Here’s what you can do.” It was much more enjoyable, much more helpful. I came away realizing that we’ve got to beef up our system. Look, I’ve got 14 employees that’s all. And zero in IT… [but] I think we can come up with solutions.

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

ONLINE SELF-ASSESSMENT LICENSE PROGRAM

17 Seven States members currently in the Program

RC3 TABLE TOP EXERCISES (TTX) TOOLKIT

• Planning Checklist
• Delivery Day Checklist
• After-Action Checklist
• TTX Sample Invitation
• Facilitator’s Tips
• Participant Worksheet
• After-Action Report Template
• Facilitator’s Guide & Slides

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

RC3 TABLETOP EXERCISE (TTX) TOOLKIT

https://www.cooperative.com/programs-services/bts/rc3/Pages/RC3- Cybersecurity-Tabletop-Exercise-Toolkit.aspx

NATIONAL VIRTUAL TTX EXERCISE!!

& American Public Power Association Hold the DATE: October 29, 2020

National Cybersecurity Awareness Month

https://nuari.net/decide/

CYBERSECURITY GUIDEBOOK SERIES

• Legal
• Incident Response
• Human Relations
• CEOs/General Managers
• Board Members
• Finance/Administrative
• Engineers/Operators

This material is based upon work supported by the Department of Energy National Technology Laboratory under Award Number DE-OE0000807.

https://www.cooperative.com/programs-services/bts/rc3/Pages/RC3-Cybersecurity-Guidebook-Series.aspx

CYBERSECURITY GUIDEBOOK SERIES

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

RC3 PROGRAM RESOURCES

• RC3 Program website at:
• https://www.cooperative.com/programs-services/bts/rc3/
• RC3 Program Team:
• cynthia.hsu@nreca.coop
• CyberSecurityRC3@nreca.org
• RC3 Axio Support Inbox
• rc3.support@axio.com

This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number DE-OE0000807.

Lauren Khair Senior Analyst Economics & Industry

• Dr. Craig Miller

Chief Scientist

• Dr. Cynthia Hsu

Cybersecurity Program Manager Office: 703-907-5500 Mobile: 703-403-8698 Email: cynthia.hsu@nreca.coop Bob Gibson Consultant Adaora Ifebigh Project Manager, R&D Engagements Maureen Gatti Consultant Laura Moorefield Consultant

https://www.cooperative.com/programs-services/bts/rc3/Pages/default.aspx

Bob Larmouth Consultant, Project Manager Phil Craig Consultant, BlackByte Cyber Security Moin Shaikh Principal, Cybersecurity SME Grayson Estes Consultant, Cybersecurity SME Doug Lambert Senior Principal Grid Solutions

RURAL COOPERATIVE CYBERSECURITY CAPABILITIES PROGRAM TEAM

Valerie Sayd Consultant

Live Demonstration of Assessment Tools

Dave White, Axio

• Axio360 is deployed in Google Cloud Platform, including

numerous intrinsic security features, and additional security and monitoring controls configured by Axio

• Security activities include daily application static analysis, daily

automated dynamic analysis, continuous logging with automated review, annual third-party penetration testing, and annual audit for SOC2

• Seven States, APPA, NRECA, and other utilities will have no access

to your self-assessment responses unless you share them

• Axio internal data scientists have limited access to de-identified

self-assessment data for analysis and benchmark calculation

SOC2 type 1 completed in 2019; type 2 anticipated by end of 2020

Axio360 security and privacy

https://a-lign.com/compliance/soc-2

9/1/2020 CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities 65

Topics covered in this demo

9/1/2020 CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities 66

14 questions address the 51 foundational activities from C2M2 to build your cybersecurity program Demo Agenda

• Login: https://publicpower.axio.com
• Dashboard: home base
• Initiating a new scorecard
• Intro screen
• Scorecard organization
• Review
• Question 1: Cyber Asset Inventory topic
• Question 1 answers describe elements of asset

inventory

• Report and dashboard output

Public Power Cybersecurity Scorecard

133 specific, actionable, early-stage controls to formulate your cybersecurity action plan Demo Agenda

• Login: https://nreca.axio.com (same credentials)
• Dashboard: home base
• Initiating a new RC3 assessment
• Using an assessment over time
• RC3 organization: NIST CSF Functions
• Review
• IDE-01: Identify Our Cooperative’s Cyber Assets
• IDE-02: Identify What Information Our Cooperative

Stores And Uses

• Report and dashboard output

NRECA RC3 Cybersecurity Self-Assessment

To the web!

9/1/2020 CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities 67

Public Power Scorecard: https://publicpower.axio.com NRECA RC3: https://nreca.axio.com

CyberSecure:

A Virtual Cybersecurity Workshop for Electric Utilities

THE WEBINAR WILL RESUME AT 11:00AM ET

Welcome Back!

Dave White, Axio

Public Power Cybersecurity Scorecard Deep Dive

Dave White, Axio

To the web!

9/1/2020 CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities 71

https://publicpower.axio.com

• Account Creation and Login
• Create an assessment
• Planning, Scoping and Building Your Team
• Sharing and Remote Collaboration
• Score Card Question Review

1. Cyber Asset Inventory 2. Configuration Baseline 3. Access Control 4. Vulnerability Management 5. Threat Management 6. Cyber Risk Management 7. Cyber Event Detection 8. Cyber Incident Response 9. Operational Resiliency

• 10. Monitoring Cyber System Activity
• 11. Cyber Threat and Event Information Sharing
• 12. Supply Chain Risk
• 13. Workforce Management and Cybersecurity Training
• 14. Cybersecurity Program Management
• Assessment Dashboard
• Interpreting Results

Public Power Cybersecurity Scorecard

Topics covered in this demo

9/1/2020 CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities 72

NRECA RC3 Cybersecurity Self-Assessment Deep Dive

David White, Axio

To the web!

9/1/2020 CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities 74

https://nreca.axio.com

• RC3 Assessment Functions
• Identify

— Identify Our Cooperative’s Cyber Assets — Identify What Information Our Cooperative Stores And Uses

• Protect

— Secure Our Network — Patch Our Operating Systems And Applications

• Detect

— Maintain And Monitor Logs

• Respond

— Develop a Plan for Disasters and Cyber Incidents

• Recover

— Take Backups of Important Data

• Assessment Dashboard
• Interpreting Results

NRECA’s RC3 Cybersecurity Self-Assessment

Topics covered in this demo

9/1/2020 CyberSecure: A Virtual Cybersecurity Workshop for Electric Utilities 75

Closing Remarks

76

SPECIAL THANK YOU TO OUR PRESENTERS

77

CHUCK SPEAKS NATHAN MITCHELL CYNTHIA HSU

Intuitive Research and Technology Corporation American Public Power Association National Rural Electric Cooperative Association

chuck.speaks@irtc-hq.com 256.922.9300x1254 nmitchell@publicpower.org 202.731.1851 cynthia.hsu@nreca.coop 703.907.6663

DAVE WHITE

Axio

dwhite@axio.com 917.209.9284

Contact Information

1206 Broad St., Chattanooga, TN (423) 490-7772 @7StatesPower @Seven States Power Corporation SevenStatesPower.com

78