Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Delivering a smart grid in a secure world. Verizon & National Rural Electric Cooperative Association Webinar October 5 th , 2017 Tim Heidel Deputy Chief Scientist National Rural Electric Cooperative Association (NRECA) Alex Schlager Verizon Executive Director Security Services Warren Westrup Verizon Director IoT Solutions Engineering & Architecture
42
Embed
Delivering a Tim Heidel smart grid in a Cooperative secure world. - …energycentral.fileburst.com/EC/100517_verizon_slides.pdf · 2017. 10. 5. · Engineering & Architecture . Enhancing
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Delivering a smart grid in a secure world.
Verizon & National Rural Electric Cooperative Association Webinar
October 5th, 2017
Tim Heidel
Deputy Chief Scientist
National Rural Electric
Cooperative
Association (NRECA)
Alex Schlager
Verizon Executive Director
Security Services
Warren Westrup
Verizon Director IoT Solutions
Engineering & Architecture
Enhancing Utility Cybersecurity Culture
October 3, 2017
Tim Heidel, Deputy Chief Scientist, NRECA
Utility cybersecurity challenges
• Variety of attacker goals (financial gain, infrastructure damage, etc.)
• Every utility is unique and has different needs and requirements
• Risks can include:
• Malware and viruses (email and thumb drives)
• Insider threats
• Loss of sensitive data and personal info
• Phishing/social engineering/email scams
• Loss of system control or awareness
• Substation or other facility intrusion
Data breach, ransomware recovery costs
• Lost productivity and downtime
• Financial losses associated with a ransom payment or fraud
• Costs to recover data and restore normal business capabilities
• Negative publicity/damage to reputation/ brand
• Legal expenses
• Cost of credit monitoring services for employees and/or members
E. Cody, “Disruption by Design: the Escalating Ransomware Threat,” NRECA TechSurveillance Whitepaper, September 2016
Supply chain risks
• Hardware trojans:
• Modified circuitry (e.g. integrated circuits) designed to provide unauthorized access to data or software on critical systems
• Designed to disable or destroy a system at some future time, or leak confidential information and secret keys
• Software: • Vendors may neglect security and validation of software during rapid
development.
• Poor software configuration
• Malware insertion
• Commercial Off The Shelf (COTS) products that rely on non-vetted
• State-of-the-art cybersecurity assessment methodologies and software tools are often designed to be used by large, dedicated IT departments with cybersecurity experts on staff
• Cybersecurity management can be costly and time consuming, particularly for smaller utilities
• NRECA is working to adapt assessment procedures and software tools to best meet the needs and resources of small and medium utilities
10/3/2017 9
Rural Cooperative Cybersecurity Capabilities Program
Rural Cooperative Cybersecurity Capabilities Program
• Cybersecurity self assessments
• Onsite vulnerability assessments
• Extending and integrating cybersecurity technologies
• Facilitating information sharing and collaboration among coops
Rural Cooperative Cybersecurity Capabilities Program
IDE-01 Do we have an inventory of all our computers?
IDE-04 Do we have an inventory of all our corporate mobile devices (e.g. Cell phones, tablets, laptops, etc.)?
IDE-05
Do we have an inventory of all our employee personal mobile devices that may connect to the corporate and/or operational network (e.g. Cell phones, tablets, laptops, etc.)?
Identifying critical data utilities store and use
IDE-12
Bank Account Information: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or businesses bank account information?
IDE-13
PII: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or business PII?
IDE-14
Credit Card Numbers: Have we identified all computers, network equipment, and mobile devices that store, process or transmit our member or business credit card numbers?
Rural Cooperative Cybersecurity Capabilities Program
Active pilots with 41 cooperative utilities in 2017
Rural Cooperative Cybersecurity Capabilities Program