20 March 2012

UTILITY CYBERSECURITY PREPARE FOR THE WORST DAN RUECKERT, P.E. ASSOCIATE VICE PRESIDENT BLACK & VEATCH

GEORGE GAMBLE DIRECTOR BLACK & VEATCH

AGENDA Utility Landscape & Trends Regulations Looking Ahead Questions & Discussion

2

UTILITY LANDSCAPE & TRENDS

3

RECENT NEWS SETTING THE STAGE Cybersecurity and Privacy Issues related to Smart Meters Public Utilities Commissions are examining current cyber security and privacy requirements that exist under federal and state law, rules and utility policies and practices that apply to transmission and distribution utilities and identify potential regulatory gaps that may exist by examining the extent to which existing federal requirements may or may not apply to cyber security and privacy issues regarding smart meters and related systems. (December 2011)

UTILITY LANDSCAPE & TRENDS

SEC Issues Guidance on the Disclosure of Cybersecurity Incidents and Costs On October 13, 2011 the U.S. Securities and Exchange Commission (SEC) issued disclosure guidance related to cybersecurity risks and costs that may have far-reaching impacts on electric utilities. For those electric utilities already subject to the North American Electric Reliability Corporation (NERC) CIP cybersecurity requirements, this guidance suggests the need for increased scrutiny of compliance costs and harms resulting from cyber incidents and potential cyber incidents to evaluate appropriate disclosure. With the pending increase in the number of assets covered by the Version 4 Critical Infrastructure Protection (CIP) Reliability Standards, which the Federal Energy Regulatory Commission (FERC) recently proposed to approve, the costs of compliance are likely to significantly increase across the electric utilities industry, affecting a wide variety of SEC registrants subject to FERC’s reliability jurisdiction.

Cyber attacks on Utilities, Industries rise According to the DHS, Control System Security Program cyber experts based at the Idaho National Laboratory responded to 116 requests for assistance in 2010, and 342 so far in 2011. A senior Homeland Security cyber official, who spoke on condition of anonymity because of the sensitivity of the topic, said the Stuxnet worm exploited well-known design flaws in the Siemens SIMATIC WinCC Defalut Password Security Bypass vulnerabilities that in general can't be patched. The Stuxnet is not just another run-of-the-mill malware (worm- self contained and self reproducing) , but is instead one designed to target critical infrastructure. It uses two currently unpatched vulnerabilities in windows to gain administrative rights on a system. (AP – Thu, Sep 29, 2011) According to the General Accountability Office, the nation's wires infrastructure is comprised of $1 trillion in assets that entail 200,000 miles of transmission lines. Altogether, over 800,000 megawatts of power serve more than 300 million people. Because the system is now connected to the outside world, it is open to attack.

4

CYBERSECURITY IS IN BROAD PUBLIC VIEW

UTILITY LANDSCAPE & TRENDS

RECENT MEDIA

Don’t forget about Duqu

CBS 60 Minutes - early march 2012

5

THE ELECTRIC UTILITY LANDSCAPE A CYBERSECURITY LAYERED PERSPECTIVE NEIGHBORHOOD AREA NETWORK (NAN)

RETAIL MARKETS

RTO

ISO

GENERATION UTILITY LANDSCAPE & TRENDS

CONTROL CENTER

DISTRIBUTION

TRANSMISSION

6

EVOLVING COMPLEX ARCHITECTURES

UTILITY LANDSCAPE & TRENDS

NIST IR 7628 – UNIFIED LOGICAL ARCHITECTURE FOR THE SMART GRID

There are only two (2) basic ways to hack computers • Taking advantage of configuration problems • Taking advantage of problems built into software

7

INDUSTRY TRENDS

UTILITY LANDSCAPE & TRENDS

TECHNOLOGY CONVERGENCE

Convergence of energy technologies provides a platform for driving performance

8

UTILITY LANDSCAPES INTEGRATED AND DEPENDENT WITH EACH OTHER

Oil

Electric Power

Natural Gas Water

Telecom Transportation 9

CYBERSECURITY CHALLENGES FOR THE UTILITY

Service Level Expectations

UTILITY LANDSCAPE & TRENDS

Increasing Threats • • • • • •

Sophistication Frequency Speed Quantity Complexity Impact potential

• • • • •

Trustworthiness Confidentiality Integrity Availability Privacy

Demands on Technology Management • An integrated approach to risk management • A holistic approach to security • Proactive • How to operationalize

Regulation & Compliance • Governance (Policy & Procedures) • CEO, Board-level accountability • New laws and dynamic regulations • Industry-specific regulations

10

POTENTIAL UTILITY BUSINESS IMPACTS

UTILITY LANDSCAPE & TRENDS

CYBER INCIDENT Productivity

• (No. of employees impacted x hours) + (burdened hours + cost restoration)

Other Expenses

• Temporary employees, Equipment rental, overtime costs, extra shipping costs, travel expenses • Regulatory fines

Financial Performance

Technology Management

Hidden Costs

Damaged Reputation

• Cash flow, payment guarantees, lost discounts (A/P), credit rating, stock price, penalties

• Analysis and Remediation Costs

• Impacted customers and liabilities • Lost opportunities • Customers, suppliers, financial markets, business partners, banks, litigation & internally

11

UTILITY MARKET ANALYSIS

UTILITY LANDSCAPE & TRENDS

CYBERSECURITY TRENDS Cyber security appears to be a market that will continue to have growth regardless of economic conditions. According to Gartner, the recession has had minimal impact on the utility security market, with the expectation for continued growth. Overall, security solutions in the United States are expected to grow approximately 9 to 13 percent annually, reaching approximately $50 billion by 2015. Current estimates on spending by utilities (i.e., water, electric and natural gas) are expected to be $15 to $18 billion through 2015. NERC is not the only security standard driving cyber security. In addition, utilities also measure themselves against Sarbanes-Oxley (SOX) and information security infrastructure against NIST. Others measure against additional industry standards such as InfoSec Assessment Capability Maturity Model (IA-CMM) that was set up by the National Security Agency (NSA).

12

UTILITY LANDSCAPE & TRENDS

UTILITY MARKET ANALYSIS

13

TOP 20 AREAS OF VULNERABILITY SANS (System Administration, Network & Security Institute)

UTILITY LANDSCAPE & TRENDS

Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps

Working on the Top 20 would form 80% of a security foundation within your company

14

REGULATIONS

15

REGULATIONS

The boss says that cybersecurity is extremely important and top priority. That is, unless it makes something inconvenient.

16

REGULATIONS

U.S. GOVERNMENT IMPACT ON SECURITY

17

REGULATORY LANDSCAPE MULTIPLE REGULATIONS & STANDARDS • Federal Energy Regulatory Commission – NERC

• Department of Energy – NIST • Department of Homeland Security – U.S. CERT

• Nuclear Regulatory Commission – CFR’s • Nuclear Energy Institute – NEI’s

REGULATIONS

• U.S. Government Accountability Office – FISCA

• S. 2105 - Cybersecurity Act of 2012 • S. 2151 - Strengthening Cybersecurity

Pressures originate from more than one government body and the taxonomy is becoming complex

18

FERC / NERC CIP STANDARDS EVOLUTION Risk Based Methodology Review of Critical Assets (CAs) and Critical Cyber Assets (CCAs): • A letter dated April 7, 2009 from Michael Assante Vice President and Chief Security Officer of NERC expressed concerns with data recently submitted to NERC regarding Critical Asset and Critical Cyber Assets identification NERC is moving away from Risk Based Methodology to ensure protection of all Critical Assets: • NERC CIP Version 4 – Proposed for Approval by FERC on September 15, 2011, removes the Risk Based Methodology and establishes “bright-line” criteria for determining Critical Assets

REGULATIONS

• NERC CIP Version 5 – Initial Ballot Completed and under review, removes Critical Assets and moves toward identifying Bulk Electric System (BES) Cyber Systems (i.e. based on NIST SP 800-37 “information systems). Ensures that ALL BES related information systems are afforded some level of protection

NERC is advising all registered entities of the concern about the sufficiency of evidence supporting Critical Asset identifications where all substations and generating facilities are excluded. They believe that a finding of non-compliance is highly probable absent such evidence to the NIST 800-30 Risk Assessment.

19

NRC NUCLEAR EVOLUTION AND NEI • FERC and NRC “Brightline Study” clarified jurisdictional delineation of Nuclear Power Plant (NPP) Systems Structures and Components (SSC) through the creation of an exemption process for excluding certain SSCs from the scope of applicable NERC Standards as provided in FERC Order No. 706-B • Regulations: • 10 CFR 73.54 • Regulatory Guide 5.71 REGULATIONS

• Standards: • NEI 08 – 09 and implementation 10-09

Each plant has developed a cyber security plan and implementation schedules with deadlines

20

POWER AND INFORMATION INFRASTRUCTURE HOW TO ASSESS AND IMPLEMENT THE REGULATIONS (CURRENT STATE)

Protection, SCADA, EMS, RTO, DER

Security, Network & Data Management

IEC61850, CIM, GID, …

TCP/IP, Encryption, SNMP, …

2. INFORMATION INFRASTRUCTURE

REGULATIONS

1. POWER INFRASTRUCTURE

Two infrastructures must be managed

21

POWER AND INFORMATION INFRASTRUCTURE HOW TO ASSESS AND IMPLEMENT THE REGULATIONS (FUTURE STATE) 1. POWER INFRASTRUCTURE

Transmission

Generating Plant

Step-Up Transformer

Users of Power System Data

2. INFORMATION INFRASTRUCTURE Fuel Cell

Transmission Substation

Control Center

REGULATIONS

MicroTurbine

Distribution Substation Distribution Substation

Photovotaics

Diesel Genset

Combined Heat & Power

Commercial

Fuel Cell

Batteries

Flywheel Residential

Industrial

Commercial

Two infrastructures must be managed in the future; not just one!

22

LOOKING AHEAD

23

UTILITY EXPECTATIONS EVOLVING SMART UTILITY INFRASTRUCTURE LANDSCAPE AND MATURITY

III. Smart Utility  Multi-System – Multi-Facility Aggregation II. Smart Information  Data Aggregation and Analysis  Smart Single-Use Infrastructure

Industry Defining

Industry Best

I. Smart Network  Device Connectivity  Smart Grid Industry Average

low

LOOKING AHEAD

Strategic Impact

Market Today

high

IV. Smart Infrastructure  Multi-Utility Integration  Physical – Cyber Integration

low Data

Integration Progression Information Knowledge

Convergence of energy, heating / cooling, water, waste management, communications, security, and transport is needed to support efficiency & reliability

high Wisdom

24

UTILITY DEFENSE-IN-DEPTH ISSUES SMART GRID VIEW Strategy & Direction Requirements & Drivers Application Security Privacy Considerations

LOOKING AHEAD

Security & Operations

Enterprise Organization Business Process

Strategic Direction

Application Data Meter / Host Network Physical

Tamper Management

People, Process & Technology have to work together

Technical Execution 25

UNIFIED CONTROLS PROGRAM A LIFECYCLE APPROACH

NIST NERC NEI

Establish Governance Harmonize Controls To create Unified Control Framework

Tailor Controls to determine correct baseline

Assess Existing Implementation of Controls

State Local DHS

Plan Remediation Activities & Tools

ITIL

LOOKING AHEAD

CobIT SOX Implement Remediation Actions

ASIS ANSI/ISA IEEE HIPAA

Treat cybersecurity like safety in our daily tasks

26

QUESTIONS & DISCUSSION

27