1 Cyber Security in Critical Infrastructure Protection (CIP)Talking Points: CyberSecurity – offensive and use of controls Cyber Security – language of standards **** Has anyone notice how often Cyber Security is spelled differently (Cybersecurity as a singleword or two? And if it means anything? I don’t intend to settle this debate here and now When ‘googling’ anything CyberSecurity related appears still not agreement on the spelling and meaning of Cybersecurity. For this presentation “Definition: Cybersecurity” (note, Gartner uses the single-word form). So basically want to address the Cybersecurity of the Cyber Security Standards Morgan King Senior Compliance Auditor, Cyber Security Western Electricity Coordinating Council

2 Western Electricity Coordinating CouncilObjectives Technology, Cyber Security, and CIP What the WECC CIP Team is doing to stay out ahead. Increase understanding and awareness. Talking Points: Want to discuss how technology and Cybersecurity affect CIP (from the perspective of looking back a bit so we can better understand where things are going. Being on the WECC CIP team requires staying current on the latest technologies how it changes cybersecurity and now CIP is reacting/addressing these continuous changes. Team is working to ensure we have a seat at every table to ensure we are in the loop on the goings on within the ERO (increate) With CIP team personnel how we are working provide outreach while maintaining our auditor independance Western Electricity Coordinating Council

3 Vermont’s Burlington ElectricSingle laptop had been infected with malware Clickbait headlines and fake news Bad reporting ≠ Cyber attack isn’t impossible Critical may be relative to one’s agenda Talking Points: State of Cyber Security - general and specific to BES *it’s important to reevaluate the climate we are working in and reassess… After the Vermont alleged incident appears to be that very time. Reality is have to ensure we do not run around yelling the sky is falling with (FUD) so we end up missing the real security objectives. This does nothing to help ### FBI/DHS joint report – Russian malware used in DNC hack was found on single Burlington electric laptop. *What is important is the ‘infrastructure’ we are working to protect. After the FBI and the Department of Homeland Security issued a joint report on 29 December 2016 that included code believed to have been used by Russian hackers to penetrate the Democratic National Committee, Burlington Electric in Vermont scanned their systems for malware and discovered a single laptop had been compromised A computer infected by malware ‘proved’ a Vermont power company has been targeted for disruption by Russian hackers The infected laptop was not connected to the power grid, and no evidence documents that the malware was placed on the laptop by Russian hackers and/or by persons with the intent of disrupting a U.S. power grid We here today a lot about Clickbait and fake news… This actually appears to distort our situational awareness As it turns out, they got a hit and Burlington Electric reported this to DHS. Again, this is exactly what they should’ve done. After the results of the scan were reported, someone leaked those details to the Post. clickbait headlines, or “fake news” and a major media push to warn the public about Russian hackers. But when the ***basics are skipped, such as source verification and fact checking, it’s hard for those who are not technically savvy to determine hype from reality. This does no service to CyberSecurity To a recent current event. ..summarize event… not every ‘ping’ on a utilities corporate network is a cyber attack… Attack is becoming a relative word. The power grid hack that wasn’t – Vermont’s Burlington Electric A computer infected by malware proved a Vermont power company has been targeted for disruption by Russian hackers. The infected laptop was not connected to the power grid, and no evidence documents that the malware was placed on the laptop by Russian hackers and/or by persons with the intent of disrupting a U.S. power grid. After the FBI and the Department of Homeland Security issued a joint report on 29 December 2016 that included code believed to have been used by Russian hackers to penetrate the Democratic National Committee, Burlington Electric in Vermont scanned their systems for malware and discovered a single laptop had been compromised. Western Electricity Coordinating Council

4 Western Electricity Coordinating CouncilTalking Points: Looking back for a moment may provide some perspective CyberSecuritys evolution and what it is exactly we are defending. So believe it or not ..this actually use to be a thing.. Seems so 1990s seen as pranks today Gone are these days where this even seems to be noticed. about the entities - to the members as well Pranks Western Electricity Coordinating Council

5 Western Electricity Coordinating CouncilTalking Points: CyberSecurity then moved into an era of personal gain be that financial ect… Hacker realized that recent speed traps used cameras that automatically register your speed, take picture of your license plate and then use character recognition to translate your license plate number into something they can use as a lookup wiithin the DMV database. (‘ZU 0666’, 0, 0); Drop Database Table. If the DMV uses this string of characters to in their database lookup it has a good chance of deleting all of the database records containing his actual license plate number ZU 0666. Outsmart Western Electricity Coordinating Council

6 Western Electricity Coordinating CouncilTalking Points: Today the stakes are much high as we have moved into Cyber Attacks with potential to damage physical world. cyber attacks that can cause direct or indirect physical damage, injury or death solely though the exploitation of vulnerable information systems and processes. ***Even though each of us are here sitting in a board meeting instead of sitting at an operators desk. We all have a part in securing the BES no matter from what vantage point we are standing from in our organizations …. … Truly is a difference in cyber-threats (computers) and truly operational control systems difference cyber-threats (computers) and truly operational control systems Want to make this abundantly clear CyberSecurity is not a Compliance destination, not a product but a process. Kinetic Cyber Attacks https://www.siemens.com/customer-magazine/en/home/energy/power-transmission-and-distribution/managing-the-energy-transition.html Western Electricity Coordinating Council

7 Situational AwarenessConventional (kinetic) v. Cyber conflicts Cognitive biases limit comprehension of available information Confirmation bias Optimistic bias Strongly impacts the outcome of the mission https://arxiv.org/pdf/ pdf US Army Research Laboratory Looked to find that challenges and opportunities of KSA and CSA are similar or at least parallel in several important ways. With respect to similarities, in both kinetic and cyber worlds, SA strongly impacts the outcome of the mission. Also similarly, cognitive biases are found in both KSA and CSA. ***SA is developed from the information flowing from the boots on the ground (SMEs) To the commanders (leaders in an organization). As an example of differences, KSA often relies on commonly accepted, widely used organizing representation – map of the physical terrain of the battlefield. No such common representation has emerged in CSA, yet. Both KSA and CSA may suffer from cognitive biases. The exact manner in which a cognitive bias influences the formation of SA remains a topic for research, in both cyber and kinetic worlds. It cannot be excluded that CSA suffers from different biases than KSA, and perhaps through different mechanisms. I commander and staff surprisingly often dismissed or misinterpreted the available correct information. They also overestimated the completeness and correctness of their KSA, perhaps partly because the advanced sensors and information displays lulled them into false sense of security -- “I can see it all.” There was an alarming gap between information available to the commander and staff and the KSA they derived from that information: commander’s assessment of the available information was correct only approximately 60% of the time. A cognitive bias – a kind of “belief persistence” – appeared to be a common cause of this inadequacy of comprehension of available information. Western Electricity Coordinating Council

8 Western Electricity Coordinating CouncilMissions FERC Reliable, affordable energy through reliance on competition and effective regulation. NERC [NERC’s] mission is to ensure the reliability of the bulk power system in North America. https://archive.org/ Talking Points: Let me move this now more closely to our regulatory world we operate in Full compliance with CIP standards as of July,2009. Archive.org (way back machine) With SA in mind lets look back where we were before the CIP Standards Reliability was and still is the mission, Western Electricity Coordinating Council

9 Cyber Security PerspectiveFERC’s Mission – Promote Safe, Reliable, Secure, and Efficient Infrastructure. NERC is a not-for-profit international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America. Talking Points: Certainly Perspectives have and are continue to change from CyberSecurity perspective. Today though CyberSecurity has to be in the Reliablity equation. An entity maybe reliable, but not secure and eventually not reliable. Must also look at Reliability from a CyberSecurity perspective from the Top of an organization down to those implementing and operating BES CyberSecurity: Headlines around the world are filled with reports of cyber attacks, large scale financial crimes and threats to national security. # Ferc.gov Nerc.com Headlines around the world are filled with reports of cyber attacks, large scale financial crimes and threats to national security. But the news is also full of great innovations - ways technology can create breakthroughs which improve our productivity, our health and our future prosperity. Western Electricity Coordinating Council

10 Western Electricity Coordinating CouncilCIP Criticisms Do CIP Standards really have a direct impact in protecting the Bulk Electric System? Our Entity has a very small footprint and CIP is a burden. CIP is too… prescriptive/ambiguous. CIP is stifling the use of emerging technologies. Talking Points: Looking back v3 From the beginning CIP has not been without its criticisms. So as a team while acknowledging some of these maybe fair criticisms the reality is 1 Does CIP Standards really have an impact protecting BES? -have heard these stated on muliple occasions from people in various roles and responsibilities. -Not to cry wolf or speak ‘FUD’, but this is fundamentally not understanding CyberSecurity. An entity can continue operating reliably, but if not secure will eventually not be reliable either. The CIP Standards has for tied our defense in depth in protecting Critical Assets In CIP V5 has opened the door to a Risk Based Compliance Monitoring and a System Centric Approach to CyberSecurity. What does this mean for CyberSecurity? It means a paradigm shift from 0 tolerance and prescribing one way to meet compliance  to industry reaching to CyberSecurity best practices and having compliance be a product of that.  Anyways will work on it more first of the week or as I get some ideas.  Western Electricity Coordinating Council

11 Western Electricity Coordinating CouncilDissertation The Effect of North American Electric Reliability Corporation Critical Infrastructure Protection Standards on Bulk Electric System Reliability By Marlene Z. Ladendorff Talking Points: In August, Marlene is currently working for ICSCERT And to her credit asked the question…. And looked to a qualitative exploratory inquiry research methodology Not that the research was by any means exhaustive For a More thorough qualitative assessment of CIP and its effect.. .. Western Electricity Coordinating Council

12 Western Electricity Coordinating CouncilDissertation Themes Entities removing equipment to avoid CIPs CIP’s positive effect on the BES NERC fines influencing implementation Removing SMEs to do CIP paperwork Compliance versus Security Lack of common vocabulary Inconsistent audits or auditing Cyber security always in response mode CIP’s negative effect on the BES Talking Points: In a more qualitative analysis of CIP standards… 8 years into the CIP Standards many of these are still very valid criticisms. Important to note one of the 9 themes included CIP positive Effects ****In this Risk Based compliance monitoring … many entities wondering how it would work and actually impact entities. RBCM has opened the door to work closer with the entities and discuss security and in that discussion identify compliance not violations and we work to identify recommendations and Areas of Concern. . NOT 0-Tolerance. So CIP is certainly maturing. Western Electricity Coordinating Council

13 Western Electricity Coordinating CouncilOT-IT So lets get to the technology for a moment. So how did we get here??? ICS have traditionally been developed using specialized hardware and deployed as stand-alone platforms employing vendor proprietary communication protocols to interact amongst like systems. In the past, this compartmentalized architecture met manufacturing and business goals while eliminating the risk of cyber intrusions that could arise from the exploitation of well-known vulnerabilities found in commercial systems and applications. Talking Points: Taking a step back for a moment Important to consider where we came from ICS have traditionally been developed using specialized hardware and software and deployed as stand-alone platforms employing vendor proprietary communication protocols to interact amongst like systems. The majority of ICS were confined to a particular physical plant and detached from external computer networks. As a result, organizations had to strengthen their physical security to ensure that the systems were accessed and operated by only those individuals that had authorization to do so. *** The increasing need to reduce manufacturing and operational costs, enhance productivity and provide access to real-time information have been some of the key drivers for organizations to evolve towards utilizing modern networking systems to interconnect ICS with business and external networks. Ok so looks like entity has network connectivity throughout different faciliites But would we be able to verify what is all applicable cyber assets IT and OT systems are frequently separated both logically and physically. Most notably, their approach to and tolerance of risk differ. Risk Calculations different (CIA and ACI) use overlapping but largely different sets of networking protocols. ICS environments are engineered to execute on specific processes (A –> B –> execute C). Unlike IT environments, which are based on open query and response, OT networks are deterministic by nature and relatively predictable. Operational technology environments were historically isolated from other networks both physically and by their use of proprietary protocols, so their security was focused on physical controls. For most of their history, “air gaps” prevented remote access. The usual set of locks, guards, background checks, etc., limited exposure to direct threats. Because of this isolated and often proprietary environment, OT cyber security is roughly a decade behind the maturity level of IT security in many ways, including organizational development, funding, available tools and skilled resources. https://www.sans.org/reading-room/whitepapers/analyst/security-converging-it-ot-world-37382 Western Electricity Coordinating Council

14 Western Electricity Coordinating CouncilOT-IT Convergence IT+OT= a lot of Smart Objects concerns are increased by the recognition that as technology advances and integrates into the electricity system, new threats and vulnerabilities can arise, creating significant and new challenges for thousands of system operators to confront. With increasing need to *reduce operational costs *Enhance productivity *Provide access to real-time information Key drivers for entities to evolve towards utilizing modern networking systems to interconnect ICS with business and external networks. Ok so looks like entity has network connectivity throughout different facilities But would we be able to verify what is all applicable cyber assets How do you consider joint risk management approaches? When availability is a critical key performance indicator Organizations which depend heavily on industrial automation are at an inflection point, the winners will share and exploit all data in their enterprise, make better decisions and increase productivity, energy efficiency and safe operations. We find ourselves in the midst of a new industrial revolution. Powered by the recognition of significant business benefits of converging the previously separate worlds of Internet Protocol-based IT and Operational Technology - the hyper-connected Industrial Enterprise is a very concrete reality. Takeaway: The ICS community needs to be aware of external threats and realize that they pose the most targeted threat to operations. However, it was great seeing that issues revolving around the integration of IT and OT is accurately seen as a concern. Architecting and maintaining the OT network correctly to include safe and segmented integration, structuring such as the Purdue model, and ultimately reducing the risks associated with IT/OT convergence will go a long way for the security of the environment. The type of efforts required to reduce the risk of IT/OT convergence is also the same foundational efforts that help identify, respond, and learn from external threats and threat vectors. When treading new paths and integrating innovative technology, it’s important to be fully aware of the potential risks and obstacles that lie in wait. Hyper-connectivity has also opened up a new environment for security threats. Cyber Security for industrial organizations is as much about safeguarding the physical well being of the company and its employees as it is about financial health – an attack that starts in cyber space can have devastating consequences in the physical world. As such, a full and accurate understanding of these risks is of the utmost importance. *** not sure about this slide As industrial control systems (ICS) cybersecurity breaches continue to increase, the consequences arising from inadequate protection of information have become an important executive management issue. It follows, then, that the convergence of information technology (IT) and operational technology (OT) has become a business imperative. —traditionally was not perceived as a threat to the infrastructure for a few reasons. Initially, due to the primary need for real-time monitoring, OT systems could not depend on protocols such as the Ethernet and were simple, isolated point-to-point networks. The benefits of the IIoT are too attractive not to take advantage of them. Bringing OT and IT together in a way that effectively manages risk is the key to unlocking the tremendous potential of the intelligent, automated energy enterprise. over time, enterprise networks have replaced proprietary communication tools with protocols such as the Ethernet and Internet protocol (IP), resulting in the erosion of isolation. Threat actors are very familiar with open protocols and the move to those open protocols, so whatever security by obscurity that existed is lost. When bringing these two teams together, it is important to consider the differences between them and establish strong change management processes. By harmonizing the two traditionally separate areas, both the enterprise and the employee will enjoy the benefits of a high-performing, cross-functional team. Optimized business processes – Decisions will be made in real time with higher levels of confidence because more information will be available regarding the event or condition. For example, load shed or curtailment events will be based on energy availability (IT sources) and demand throughout the distribution network (OT sources). Event management in an IT/OT converged network will execute as a closed loop process by targeting a feeder or substation, issuing curtailment signals to customers under that substation or feeder. This gauges real-time response and repeats as required to achieve the target reduction time. Reduced operating costs – Utilities can improve business process intelligence through smarter analytics to minimize spinning their reserves and compensate for variable generation sources, such as wind or solar. As an example, operators are able to intelligently manage variable generation assets, which requires integrating reliable weather information (IT sources) and grid power demands (OT sources) with business process or analytics. With this converged information, electric utilities can better optimize fixed and variable generation assets. Shorter development time and common platforms – Traditionally, IT and OT groups were developed in two separate domains where almost all of the communication, hardware and software were specific to each domain. Now the proliferation of communication standards, powerful processors and operating systems provide a common, unified environment that merges the efforts of both IT and OT groups. Extension policy and security across networks – With interconnected IT and OT networks, the entire network must be secure to minimize vulnerabilities at any single point in the combined network. Therefore, utilities need to implement and manage policy and security measures against their entire IT and OT networks, leading to standardized access and minimizing network vulnerability. Western Electricity Coordinating Council

15 Evolution of TechnologyMonolithic SCADA Distributed SCADA Networked SCADA Industrial Internet of Things (IIoT) Affecting both IT and OT is the evolution of technology. … 50 B connected devices. *If you build it they will come* First architecture concept of SCADA was based on the mainframe systems, in which networks are basically not existent. Therefore, first control systems were not able to interconnect with any other, so they were standalone systems The development and improvements in system miniaturization and the Local Area Network (LAN) technology [9] were the key factors that led to the distributed SCADA. Multiple stations with various functions were able to communicate real-time with each other and interchange data between them. All of these new developed stations were acting like mini-computers and they were smaller and less expensive than the first generation equipments [9]. Continuous growth of all industries, the increased number of automated processes and the multiple vendors of industrial equipment caused the next step in SCADA evolution - networked systems. The third generation of SCADA systems is very similar with the second one, except one primary difference: it is oriented to an open system architecture, rather than a vendor controlled and proprietary environment [9] Key components of IIoT include: Number of sensors to monitor processes in exploding; Connected devices transport data at higher speeds; Cloud networks make data storage and availability scalable; and Analytics extract information from a myriad of sources. Industrial Internet of Things (IIoT) is the latest catalyst to process automation. These four IIoT elements touch every aspect of an enterprise’s production or manufacturing environment and require the two organizations responsible for implementing and operating IIoT information and business systems—Information Technology (IT) and Operational Technology (OT)—to adopt new strategies. One strategy is IT/OT convergence, which promotes a single view of an enterprise’s information. Process-management tools help ensure that every person, machine, sensor, switch and device in an organization has accurate information in the best form and at the right time. As OT products—for example, programmable logic controllers (PLCs) and remote terminal units (RTUs)—become more aligned with IT infrastructure and applications, getting OT information integrated efficiently with IT systems at a process level is difficult enough for many companies. Getting IT and OT systems to work together to maximize business efficiency — while avoiding negative consequences, risks and pitfalls in the process —makes the task more challenging. However, thanks to new technologies, this process is becoming more practical and is creating the opportunities for huge economic benefits when these two disciplines are successfully integrated. Western Electricity Coordinating Council

16 Western Electricity Coordinating CouncilICS Search Talking Points: Hiding in an ‘air-gapped’ network may have worked in the past.. But not today. Today the search and identification of ICS gear is even easier – Shodan – “Sentient Hyper-Optimized Data Access Network Specialized to let users find specific types of embedded devices Censys:- crawling for ICS Protocols such as GE ,SRTP, Modbus, DNP3, Siemens S7, EtherNet/IP, IEC - 60870 5 104, BACNet, Fox, HART IP, PCWorkx, and many more. With findings such as 14,000 internet ModBus hosts and 4,000 Ethernet/IP hosts, it is worth investing time ex ploring. Distributed scans of the entire internet for a given port can take less than one hour. It is feasible to scan large ranges of ports in a relatively short amount of time. Western Electricity Coordinating Council

17 IT-OT Convergence RisksLoss of isolation Accidental insider Malicious insider External actors Unfortunately, adversaries continue to evolve, and cyber defense remains a reactionary culture In reviewing these incidents, one of the most unfortunate trends that was found was that the access vectors for attack could not be determined because the systems compromised lacked detection and monitoring capabilities. As industrial control systems (ICS) cybersecurity breaches continue to increase, the consequences arising from inadequate protection of information have become an important executive management issue. It follows, then, that the convergence of information technology (IT) and operational technology (OT) has become a business imperative. —traditionally was not perceived as a threat to the infrastructure for a few reasons. Initially, due to the primary need for real-time monitoring, OT systems could not depend on protocols such as the Ethernet and were simple, isolated point-to-point networks. over time, enterprise networks have replaced proprietary communication tools with protocols such as the Ethernet and Internet protocol (IP), resulting in the erosion of isolation. Threat actors are very familiar with open protocols and the move to those open protocols, so whatever security by obscurity that existed is lost. When bringing these two teams together, it is important to consider the differences between them and establish strong change management processes. By harmonizing the two traditionally separate areas, both the enterprise and the employee will enjoy the benefits of a high-performing, cross-functional team. The Malicious Insider - As IT managers know only too well, many ‘attacks’ are often perpetrated by a trusted insider who uses his expert knowledge and corporate authorization to manipulate systems to carry out their personal commands. The insider threat poses as much risk to OT as to IT. The Accidental Insider – The quest for greater efficiency and productivity combined with a lack of security awareness can open up new avenues for an accidental introduction of malicious code. However, as well as the threat from malicious cyber attacks, systems and data can also be threatened by security applications themselves, legitimate testing or unauthorized configuration changes. The great sensitivity of OT to factors such as latency in the system, regardless of its cause, requires precise knowledge and understanding of how security solutions (for example) might affect a system. External Actors – Malware or commands issued by a cyber-intruder to negatively impact Operational Technology and systems. The driving purpose behind such malicious external attacks is typically to survey critical systems, steal intellectual property or disrupt industrial processes to satiate numerous varied motivations. Western Electricity Coordinating Council

18 Western Electricity Coordinating CouncilIT-OT Convergence Three approaches Effectively merge the two, integrating OT within the IT group. Technology team free from these traditional distinctions, responsible for all OT and IT functions. New breed of “industrial technologists” who have a combined IT/OT perspective. Speaking points: Where we have seen entities be successful (breaking down silos When industrial companies have not created this hybrid organization, confusion emerges and progress slows because no one has a holistic view. When solutions likeBig Data Analytics, Cloud, or Machine Learning are considered they get pointed towards IT - just like ERP did a decade ago. When Asset Performance Management (APM), Industry 4.0, or Smart Manufacturing are considered they get pointed towards OT, just like DCS/PLC did a decade ago. Subsequently, the use cases and technologies become muddled. seen entities move to an IOC (Integrated Operating Center) # Three approaches One approach employed by some energy companies is to effectively merge the two, integrating OT within the IT group. On the surface, this seems like the most straightforward approach, essentially forcing OT and IT to work in coordination. In practice, however, the cultural differences can remain. For example, IT may try to impose its standards-based approach on an OT team used to systems specialized for particular production tasks. Unless IT has a clear understanding of the requirements of these automation systems, the result can be a lack of coordination that decreases system stability. For this approach to work, OT must have a voice in the combined organization. Another approach is to create a technology team free from these traditional distinctions, responsible for all OT and IT functions. This approach is feasible in an entirely new organization or for a large company spinning off a new satellite organization. But for most large, complex oil and gas producers with established technology groups and lots of legacy infrastructure, it may not be a workable alternative. The third approach is one we’re seeing more and more in forward-looking organizations, where there is a new breed of “industrial technologists” who have a combined IT/OT perspective. They understand the need for stable, highly available automation systems, but they also understand the enterprise system integration and analytics required to make the IIoT a reality. With a foot in both worlds, these industrial technologists play a key role in ensuring that the priorities of both OT and IT are met. Western Electricity Coordinating Council

19 Evolution in MarketplaceWhen you step back consider the amount of smart devices and the software used to make business happen it is astounding. Technological advances certainly have influence on How business gets done continuously evolving (not just faster, but smarter)…. ***larry and matt convo This is where we have to way the risk in Business and Security A lot of intelligent devices to and trusted networks to make business happen. Western Electricity Coordinating Council

20 CIP and Emerging TechnologiesBES Cyber System Information in Cloud Compliance management Monitoring Access control BES Cyber Systems in Cloud Resiliency/Security/ Compliance Software as a Service (SaaS) Platform as a Service (PaaS) ****bring it up to the higher level - **** Cloud means different things to different people. We are proponents of emerging technologies Entities have been asking us about considerations of these technologies in perspective of .. BESCSI and BCS. BESCSI is increasing and becoming more valuable for security and reliability BCS – everything is becoming a platform. How does an entity leverage emerging technology when considering CIP? ****stay informed and know sense of reliability Western Electricity Coordinating Council

21 Western Electricity Coordinating CouncilMalware Black Energy Operation Dust Storm Flame Havex Dragonfly Operation Cleaver Shamoon Duqu Neturino Stu#%&* Talking Points: Reality is all of this technology runs on code. at a developers’ conference in 2000 Passionate Steve Ballmer did You may remember Microsoft's Steve Ballmer Chant ‘4 words…’Developers, Developers, Developers’ …. (conference in 2000) Have to remember fundamentally code is developed by humans and certainly varies in its security posture. The Software Development Life Cycle (SDLC) does not include security.. All about a design, develop and test. **** Everything is becoming a platform. AppSEC is going to be most important area of security. One problem. Appsec not that mature as network security. Has been adversarial tone at points SHIFT: Security teams – CSO, security analysis, pentesters started talking about DEVOPS DEVOPS – opportunity about doing things more security Continuous integration to continuous deployment Much faster but with no security in process Devops: (releasing things faster) / not more secure b/c releasing things more frequently. their talking from waterfall to agile (iteratively) … scrum or fall many small waterfalls. Just doing things faster or more security. Devops: maybe a continuum depends on what trying to achieve. ****all money spent on Appsec. Developers and development process has to imbed security naturally. Devops opportunity: finding issues as code is written. What are developers paid to do? Paid to develop based on function no security of the software. What about all these security tools that generate false positives. Talking points: I’m not a big proponent of the naming of malware… its like saying the perpetrators name when a terrible crime has been committed but I also get why we do it for malware. Needless to say in recent memory there have been an increase in Malware affecting -Changing our perspective for a moment to that of a malicious actor It all starts with identifying a vulnerability (hopefully 0-day) and developing code to exploit that vulnerability for access to espionage. ### Exploit Kits are powerful and modular digital weapons that deliver malware in an automated fashion to the endpoint. Exploit Kits take advantage of client side vulnerabilities. These threats are not new and have been around for the past 10 years at least. Nonetheless, they evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. These properties make detection and analysis difficult. This paper demonstrates a set of tools and techniques to perform analysis of the Neutrino Exploit Kit. The primary goal is to grow security expertise and awareness about these types of threats. Those empowered to defend users and corporations should not only study these threats, they must also be deeply involved in their analysis. Western Electricity Coordinating Council

22 Western Electricity Coordinating CouncilMalware Talking Points: Looking at the scale of this issue ----- This graph really puts it into perspective A/V companies put sensors throughout the internet to detect Malware… -Malicious code growing at an exponential rate -Today there is more malicious code than actual legitimate code/software -It is more complex and targeted andbeing aimed at more critical assets. # As the Internet has extended its reach over the last 10 years, malware (malicious software) has evolved and become more complex. Early forms of malware sought to generate high-profile nuisance attacks, but today its aims are increasingly pernicious, focusing on theft and other illicit activities. Malware has become much more of a concern for organizations; Internet connectivity was still the exception to the rule for many organizations before 2002, but it quickly became the norm as the first decade of the 21st century unfolded. Today, in addition to individual computers and the networks of organizations both large and small, Internet connectivity also extends to devices such as gaming consoles and smartphones. And as computing paradigms shift, protecting organizations, governments, and citizens from malware has become even more of a challenge. https://www.av-test.org/en/statistics/malware/ Western Electricity Coordinating Council

23 Internet Security Threat Report (ISTR)“Discovered more than 430 million new unique pieces of malware in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us.” https://www.symantec.com/content/dam/symantec/docs/reports/istr en.pdf Talking Points: -each year Symantec releases its (ISTR) -From the 2015 Reports ‘Executive Summary’ 430 M **unique** pieces of malware Note also the uptick in Unique Vendors… This again shows the interest in ICS and ICS search engines. # Industrial Control Systems Vulnerable to Attacks Industrial control systems (ICSs) are found in many areas of industrial production and utility services worldwide, and are routinely connected to the Internet for remote monitoring and control. Uncovering vulnerabilities in these systems is a major area of research, emphasized by the growth in the numbers of these vulnerabilities in The actual number of vulnerabilities affecting ICSs is estimated to be much higher, since many organizations standardize their platforms by using commercial off-the-shelf (COTS) products, such as Windows or Linux that are also subject to vulnerabilities, but which are not counted here. Furthermore, ICS management systems connected with enterprise networks can increase the potential exposure to threats more typically associated with these operating systems. Obscurity is No Defense The most valuable form of protection against cyberespionage is simply to be aware that it is possible. All businesses are potentially vulnerable to targeted attacks using techniques such as watering hole attacks and spear phishing. Small size and obscurity are no protection. Indeed, in 2015 small businesses accounted for a greater proportion (43 percent) of spear-phishing attacks, but the likelihood of being targeted diminished. While more attacks were destined for that group, they were focused on a smaller, more discreet number of businesses (3 percent). Contrast this with large enterprises, which accounted for 35 percent of the spear-phishing attacks, and 1 in 2.7 (38 percent) were targeted at least once. This suggests a much more extensive scale where campaigns were more scattergun in their approach. Having acknowledged the risk, organizations can take steps to protect themselves by reviewing their security and incident response plans, getting advice and help if required, updating the technical defenses, putting good personnel policies and training in place, and staying up to date with the latest information.  -The report includes ICS -what should give most people cause for concern is that attackers appear to be discovering and exploiting zero-day vulnerabilities in industrial control systems (ICSs -Again identified vulnerably increasing exponentially -Important note is the huge increase in identified Unique Vendors - The report also noted there were seven known zero-day vulnerabilities during 2015 targeting a variety of different manufacturers and different devices. #### Western Electricity Coordinating Council

24 State of Security in Control SystemsSo now to the the use/leveraging of the Malware? (External Actors) The State of Security in Control Systems Today was a SANS survey conducted with 314 ICS community members and was released on June 25th, 2015. The number one vector the respondents felt was the most significant threat to their ICS was external threats. This makes sense given the increased understanding in the community regarding external actors and the cyber security of operations. However, interestingly the second top threat identified as the integration of IT into control system networks. I really liked seeing this metric because I too believe it presents one of the largest threat vectors to operations. ICS targeted nation state malware tends to get the most media attention. BlackEnergy2, Stuxnet, and Havex were all very concerning. However, it is far more likely on a day to day basis that not architecting and maintaining the network correctly will lead to decreased or stopped operations. The integration of OT and IT also presents a number of challenges with incidental malware that, while non-targeted, presents a significant risk as has been documented numerous times when important systems halt due to accidental malware infections such as Conficker. Takeaway: The ICS community needs to be aware of external threats and realize that they pose the most targeted threat to operations. However, it was great seeing that issues revolving around the integration of IT and OT is accurately seen as a concern. Architecting and maintaining the OT network correctly to include safe and segmented integration, structuring such as the Purdue model, and ultimately reducing the risks associated with IT/OT convergence will go a long way for the security of the environment. The type of efforts required to reduce the risk of IT/OT convergence is also the same foundational efforts that help identify, respond, and learn from external threats and threat vectors. https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042 Western Electricity Coordinating Council

25 Western Electricity Coordinating CouncilTalking Points: We saw this very thing in the Ukraine Event. -Now the Ukraine event has a lot of eyes on it. -This is an event that we should try to learn everything we can about it ensure our security posture can defend against a similar attack. Ukraine https://www.shieldjournal.com/u-s-govt-says-cyber-attack-caused-power-outage-in-ukraine/ Western Electricity Coordinating Council

26 Western Electricity Coordinating CouncilTalking Points: - contains a word and excel document with MACROs Spear phishing s with malicious Infection vector used in these attacks is Microsoft Office files containing malicious macros 32 bit Windows executable Install the modified variant of ‘Kill Disk’ Possible to set a specific time delay after which the destructive payload was activated. December 23rd, 2015 3 Ukrainian power companies experience unscheduled power outages due to cyber attack Impacted 57 substations, 339 towns, ~205,000 customers 6 hours in duration Six more “attacked” but no indication of outage Not huge outage or how long it lasted. Distribution companies cover regions. Outage itself is not huge event … it is how it was caused. That it was coordinated Update possible another attack from December of 2016 Leads to evidence of a coordinated cyber-attack Power outages were caused by remote cyber intrusions at three regional electric power distribution companies Attach was synchronized and coordinated/occurred 30 minutes of each other. Impacted multiple central and regional facilities Malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the OS level or remote ICS client software via VPN. Actors acquired legit creds prior to cyber-attack to facilitate remote access. -So briefly what happened? # CyberSabatage. Security experts had already widely concluded that the downing of utilities in western Ukraine on December 23 was due to an attack, which is believed to be the first known successful cyber intrusion to knock a power grid offline. An interagency team comprised of representatives from the National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight. The Ukrainian government worked closely and openly with the U.S. team and shared information to help prevent future cyber-attacks. Black Energy https://cys-centrum.com/ru/news/attack_on_energy_facilities_jan_ps Western Electricity Coordinating Council

27 Western Electricity Coordinating CouncilTalking Points: Opening the document enables MACRO to run and reach out the the C&C serve and download black energy payload. r. No vulnerability even needed to exploit. MACRO a single instruction that expands automatically into a set of instructions to perform a particular task. This event if anything emphasized a defense in depth security posture. Downloads the BlackEnergy3 Malicious software. Was ‘killdisk a component or just inside the network? Killdisk component itself did not cause the outage Killdisk designed to overwrite more than 4,000 file types with random data and damage the OS make unbootable Initial evidence and analysis indicated direct interaction and not malware Intrusion into production SCADA system Acted to “blind” the dispatchers Acted to open breakers and cause the outage Acted to damage the SCADA system hosts Telephone denial-of-service (TDoS) Prevent error messages from reaching service personnel Black Energy https://cys-centrum.com/ru/news/attack_on_energy_facilities_jan_ps Western Electricity Coordinating Council

28 Western Electricity Coordinating CouncilTalking Points: (possible, not probable) Have been asked could the Ukraine attacks happened to a utility in North America? Almost every entity configures remote access into the ESP. Have 3 zones here which is a common network configuration The enterprise zone is certainly out of CIP scope However an Intermediate System for IRA is now required and of course an EAP for an ESP where most protected Cyber Assets must reside. So walking these risks back from the insecure code – the remote user/attacker insecure code on the Cyber Asset that provides the CIP-002 BROS function(s) network the Cyber asset is communicating on Protocol being used to communicate Electronic access points at the ESP enclave Electronic access controls used to control access. We here a lot that the DMZ is as secure as the ESP , but in CIP there is either an ESP or not an ESP. Mapping to CIP https://www.sans.org/reading-room/whitepapers/ICS/secure-architecture-industrial-control-systems-36327 Western Electricity Coordinating Council

29 Western Electricity Coordinating CouncilCIP Strategy Identify assets Identify threats to assets Highest critical assets placed at innermost enclave of protection Overlapping layers of prevention, detection, and mitigation Talking Points: Looking at CIP as more of a strategy than simply a compliance obligation If you look at CIP more than a regulatory compliance objective but security strategy… So if look at CIP from a CyberSecurity Strategy/framework Identify assets(how do we protect something we don’t account for??? (all CIP-002) Identify threats to assets (Cyberwise this is CIP-007) Intermost enclave ( this is CIP-005) Overlapping** this is critical (again CIP-007, CIP-004, CIP-008, CIP-009 and CIP-010) Security awareness program Network segmentation Access control and credentials management Deep protocol inspection and intrusion detection Vulnerability and patch management Incident response Procurement security policies In version 3 we had entities creating ‘compliance documentation’ for compliance and now in V5 we have entities creating processes for how operations happens and pointing to compliance within that. This way the overall risks are addressed in each business unit though they may each use unique processs. When you get even more granular into the CIP requirements there is a purpose built defense in depth. -Network Segmentation – as mentioned CIP requires a protective enclave, but the way networks are moving to being built using SDN need to open the door microsegementation. CIP-004 – Access controls Deep protocol inspection – CIP-005 R1.5 requires ‘method to detect malicious communications’, but many entities allow encrypted traffic(SSH/HTTPS) through EAP and certainly could be used for reverse shells. CIP-010 VA and CIP-007 patch management. # Some of these Overlapping layers of prevention, detection and mitigation are considered Best security practices and are controls in CIP. many ICS/OT networked environments remain flat, inhibiting defenders from implementing zonebased controls, or attempt to use IT security techniques to segment, which are expensive and time-consuming. ecuring connected control and automation system networks is a great responsibility requiring the coordinated efforts of many organizational resources and often even changes to corporate culture. It is also an ongoing activity with no end state; continuing and accelerating technological developments will not cease to create or uncover new vulnerabilities exposing the infrastructure to intentional or accidental dangers. Organizations must recognize up front that establishing a successful, sustainable security program is a huge, complex and very long-term effort, but it can and must be done. The importance of protecting these systems goes beyond any one organization, and this will only become more evident as the web of interconnected systems continues to expand. As daunting as it may seem, it is accomplishable. The experiences of many experts in this field have shown that, by following the steps outlined in this document, ICS network defenders can greatly reduce both the number of security incidents affecting their organizations and the impact of such incidents. capture details of existing user roles and align credentials with the new controls. do not evaluate the impact of the packet contents on the destination devices(s), nor can they evaluate an entire data flow in state (i.e., multiple packets that comprise a process command flow). Western Electricity Coordinating Council

30 Western Electricity Coordinating CouncilFERC Order 822 Directive NERC must conduct a comprehensive study that assesses: The effectiveness of the CIP version 5 remote access controls; The risk posed by remote access-related threats and vulnerabilities; and The appropriate mitigating controls for any identified risks. Now this is not to say an event couldn’t happen here. And so we have seen FERC move to further understand the security posture implemented for IRA. The study must be completed within one year of the implementation of the CIP version 5 Standards for High and Medium impact BES Cyber Systems (i.e. 7/1/2017). NERC is requesting a completed form for each audit or CIP-related spot check completed between 7/1/2016 and 5/15/2017 in order to produce the report necessary to complete the filing. The following sections summarize key areas of focus and specify the information that NERC is requesting from the Regions to help satisfy the study objectives: Western Electricity Coordinating Council

31 NERC Remote Access StudyEvaluate and document for the study the entity’s controls to address the Ukraine’s specific Remote Access Vulnerabilities: Spearfishing and malware detection capabilities on Corporate Networks, Application whitelisting, Disabling of macros at servers and in Microsoft applications, Application of Lessons Learned on Mixed-Trust EACMS to ensure that credentials from corporate enterprise cannot be exploited by escalation tactics, Protection for IP to serial converters, if any, and/or Other protections implemented. Our audit team has conducted 10 Studies. Western Electricity Coordinating Council

32 CIP Standards Drafting Team (SDT)Positive influence Technical advising Helping entities stay informed and be prepared Positive influence to security and reliability – CIP Modifications SDT(Morgan) and Supply Chain Management SDT (Dr. Baugh), (Technical Advising) CIP-014 audits in full swing and working with Mr. Clancey of NERC to ensure all regions have the knowledge and confidence to audit. (Helping) In v3 seemed to be a disconnect between SDTs intent and what auditors and industry understood that intent to be with any given Requirement. Influence – Remember we are all working for a common goal to secure the BES and from the regulatory arm …..We have seen the issues first hand that entities have had and are able to provide that directly to the SDT for consideration. Technical advising – various levels of understanding on emerging technologies Stay informed – Be prepared – We want WECC entities to be successful in strengthening their security posture and from our role are able to do that by sharing perspective from all of our audits and .. Western Electricity Coordinating Council

33 Western Electricity Coordinating CouncilFuture Proof CIP Stating the security objective What control(s) required Leaving open how the objective is met Consideration of inherent/variable risks Talking Points: How do you create regulatory standards threat landsape Regulatory Standards while ensuring the security posture of the industry is maintained to a established baseline. It is difficult for regulation to maintain the pace of Cybersecurity threats. CIP R3 Deploy method(s) to deter, detect, or prevent malicious code. CIP-003-7i By ‘Future Proof’ Not saying CIP will prevent any future Cyber-Attack, Am saying that the CIP Standards opening up to be less prescriptive and stating the required security control (The WHAT) And Leaving (The How) open entities will be able to leverage emerging technologies into the future This is an important paradigm shift as trying to write regulation for CIP will always be a day late. Information security requirements and controls should not negatively affect an entities ability to operate. Should ensure the availability, Integrity and Confidentiality of an entities most critical assets and ensure the overall risk exposure. Western Electricity Coordinating Council

34 Cyber Security Risk to the BESOpen Access Technology International (OATI) Not in scope of CIP BES Reliability Operating Services (BROS) functions What if Distributed Denial of Service (DDOS) like DynDNS happens to OATI? Talking Points: RISK BASED COMPLIANCE MONITORING (identifying risks with (recommendations, AOCs) CIP V5 and (RBCM) Opens the door to discussions about Cybersecurity above and beyond just compliance Now we recognize can’t and shouldn’t try to protect everything, but in this new Risk Based Compliance Monitoring we are working to identify real risks and not identify violations. ***Explain DynDNS service Interchange Tagging No power travels across the BES without a TAG every BA has to validate that tag. (enough transfer capailbiyty ect…) We understand CIP cannot protect everything. We do have to identify our Critical Assets and ensure they are protected. Circling back to Criticisms of CIP…. What should the scope include? We are working to identify further risks outside the language of the standards from a risk based approach… We use areas of concern and recommendations for these purposes. Regulation trying to ensure everything is protected, may end up protecting nothing Industry still trying to identify appropriate CIP Scope and Layers to the Defense in depth Against these capable and dynamic threats, no single solution is enough. The best strategy for defending against this type of attacks is to understand them and to use a defense in depth strategy - multiple security controls at different layers. Western Electricity Coordinating Council

35 Western Electricity Coordinating CouncilReferences Marlene Z. Ladendorff, The Effect of North American Electric Reliability Corporation Critical Infrastructure Protection Standards on Bulk Electric System Reliability, Capella University, August 2014, https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today https://arxiv.org/pdf/ pdf https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/ https://www.av-test.org/en/statistics/malware/ https://www.symantec.com/content/dam/symantec/docs/reports/istr en.pdf https://www.shieldjournal.com/u-s-govt-says-cyber-attack-caused-power-outage-in-ukraine/ https://cys-centrum.com/ru/news/attack_on_energy_facilities_jan_ps https://www.sans.org/reading-room/whitepapers/ICS/secure-architecture-industrial-control-systems https://www.sans.org/reading-room/whitepapers/analyst/security-converging-it-ot-world All utilities /operators in the energy sector are at risk • Doing nothing is not an option – It is 5 – 20 x more costly to recover • Defense-in-depth is the goal for operators of all size • This is not an IT issue, it is a matter of: – Local, provincial, and national security – Risk management – Revenue assurance for the operator Western Electricity Coordinating Council