Webinar - Reducing the Risk of a Cyber Attack on Utilities

Reducing the Risk of a Cyber Attack on Utilities

Jim Girouard, Sr. Product Development ManagerCorporate and Professional Education

About WPI

Fully accredited, non-profit, top quartile national university*

Founded in 1865 to teach both “Theory and Practice”

Robust Computer Science, Power Systems Engineering and Business Departments

DHS/NSA Designated Center of Excellence in Information Security Research

*U.S. News and World Report

Today’s Dialogue –Cybersecurity Education

Outline:

– The Growing Menace

– New vulnerabilities due to Smart Grid Technology

– National Framework for Cybersecurity Workforce Education

– Essentials of a cyber security education program

– How to craft a customized education program

– Discussion

Bushehr Nuclear Facility - Iran

Bushehr Centrifuges

Stuxnet

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

Stuxnet


• A Virus, Worm and Trojan

Stuxnet



• Evades Detection. Erases its path as it jumps to next system

Stuxnet




• Disables Safety systems

Stuxnet





• Utilizes “Man in the Middle” Attack Strategy

Stuxnet






• Once it infects SCADA PLCs it waits, observes then acts

Stuxnet







• Returns recording of normal operation to operators

Stuxnet








• Successfully destroyed ~1,000 centrifuges.

Stuxnet








• Successfully destroyed ~1,000 centrifuges. 30% of capacity

• Source code available on web for $150K

BLACK ENERGY

Black Energy

PowerSource

• Also a Virus, Worm and Trojan

• Reported in October 2014 but could have been around in 2011

• Suspected Country of Origin: Russia

• Infects Human-Machine Interfaces including: GE Cimplicity, Seimens WinCC and Advantech/Broadwin WebAccess

• Attempts to damage, modify, or otherwise disrupt the victim systems’ control processes

• Modular and difficult to detect

ICS-CERT 2014 Annual Report

• 245 Incidents Reported, including: – Unauthorized access and exploitation of internet

facing SCADA– Exploitation of zero-day vulnerabilities– Infections within “air gapped” control networks– SQL injection and exploitation– Network Scanning – Watering hole attacks– Spear-phishing campaigns

Attacks by Sector

Smart Grid Field Area Networks (FAN)

Patrick Grossetete, Cisco

Attack Strategies on Utilities

PhysicalAttack

CyberAttack

Anatomy of a SophisticatedCyber Attack

Domain Knowledge

PhysicalAttack

CyberAttack

Anatomy of a SophisticatedCyber Attack

Domain Knowledge

PhysicalAttack

CyberAttack

“There are two types of companies. Those that have been attacked and those that don’t know it yet”

Scott Aaronson, Senior DirectorEdison Electric Institute

All Other Personnel

MIS & IT Professionals

Resiliencyvia secure softwaredesign

Resiliencyvia several barrier

defensestrategies

IntrusionDetection

ForensicsSoftwareEngineers

Cyber Defense Roles to prevent, detect and effectively respond

Human Firewall Training

Executive ResponseTraining

Graduate Cyber-CS Education

Certifications,Professional

Development&

Graduate Cyber-CS Education

Scenario: A USB drive in the grass

What it looks like to the typical finder

What it represents to your network

The National Cybersecurity Workforce Framework*

30*http://csrc.nist.gov/nice/framework/

• Issued by the National Initiative for Cybersecurity Education (NICE)

• Provides a common lexicon for cybersecurity work.

• A collaboration of federal agencies, academia and general industry.

• Constructed of “Categories” and “Specialty Areas” to group similar types of work.

• Provides tasks, knowledge, skills, and abilities (tKSAs) within each area.

• Version 2.0 is currently being drafted

http://csrc.nist.gov/nice/framework/

http://csrc.nist.gov/nice

National Cybersecurity Workforce Framework

32

Category

Securely Provision

Operate and Maintain

Protect and Defend

Investigate

Collect and Operate

Analyze

Oversight and Development

National Cybersecurity Workforce Framework

33

Category Specialty Areas Include:

Securely ProvisionSystems Security Architecture Secure Acquisition

Software Assurance and Security EngineeringTest and Evaluation Systems Development

Operate and Maintain System Administration Network Services Systems Security Analysis

Protect and Defend Incident Response Computer Network Defense AnalysisVulnerability Assessment and Management

Investigate Digital Forensics Cyber Investigation

Collect and Operate Federal Government RoleCollection Operations Cyber Operations and Planning

Cyber Intelligence Exploitation Analysis / Targets / Threat AnalysisAnalyze

Oversight and Development

Legal Advice and Advocacy Security Program ManagementStrategic Planning and Policy Development

Training, Education and Awareness Knowledge Management

DHS Cyber Security Evaluation Tool

What to Look For:Academic Partner

What to Look For: Accreditations

Computer Science Engineering

Business Whole University

http://www.google.com/url?sa=i&rct=j&q=wpi&source=images&cd=&cad=rja&docid=q4hXhdSEvIGVCM&tbnid=v8ZwL4CYid3HrM:&ved=0CAUQjRw&url=http://www.wece.wpi.edu/&ei=a3kbUszoEZfK4AO5xoDICg&bvm=bv.51156542,d.dmg&psig=AFQjCNGriEjpPkUNBacDRXfKDGZ74pONhA&ust=1377618664892651


What to Look For:Domain Knowledge

For example, at WPI:

NSA/DHS Designated Center of Excellence

Core Faculty Performing Current Research• Trusted Computing Platforms• Algorithms & Architectures for Cryptography• Analysis of Access-Control and Firewall Policies• Wireless Network Security• Cyber-Physical System Security

Power Systems Engineering – Utility technology, systems, equipment & culture

What to Look For:Program Tailored to Your Needs

The Framework is Generic

To Maximize Your ROI, yourprogram must be relevant:• Address your unique requirements.• Address SCADA vulnerabilities• Include NERC CIP• Provide utility-based examples/case studies• Be convenient for your students

Timeline to a Customized Program

The WPI Process:

Identify Customer Needs

Create Learning Objectives

Meet withExecutiveSponsor

Go/ NoGo

Effective Learning Objectives

“ As a result of this course, the student will be able to …”

Verbs to Use Verbs to Avoid

Explain, estimate, design, solve,prepare, detect, assess, determine, infer, illustrate, complete, operate, employ, rank, test, visualize, lead, etc.

Appreciate, Understand, Learn,Cover, Believe, Study,

Comprehend, etc.

The WPI Process:

Identify Customer Needs

Create Learning Objectives

Select Instructor(s)

Meet withExecutiveSponsor

Select Best DeliveryMethod

Develop Customized Curriculum

Launch Pilot Program

Assign Dedicated Support Team Survey Students

Mid End

Evaluate Surveys with Sponsor

Go/ NoGo

Timeline to a Customized Program

Courses Customized for the Power Industry

Computer and Network Security Including SCADA Protection

and NERC CIP Standards

Operations Risk Management Focus on Social Media Phishing and

Embedded Malware Risks

Case Studies in Computer Security Including Power Industry Examples

A Custom Graduate Cybersecurity Program

Framework Category Courses

Securely Provision Computer and Network SecuritySoftware Security Design and Analysis

Operate and Maintain Computer and Network Security

Protect and Defend Intruder Detection

Investigate Digital Forensics

Collect and OperateGovernment Role - Not in Program

AnalyzeOversight and Development

Operations Risk Management Case Studies in Computer Security

Modeled afterThe NationalCybersecurity

Workforce Framework

In Summary

“There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know.”

- Donald Rumsfeld

“There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unkown unknowns, things we do not know we don't know.”

- Donald Rumsfeld

In SummaryAttack Mode Counter Measures

• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures (NERC CIP)• Continue Secure Process Training (Human Firewall)

known knowns

known unknowns

unknown unknowns


• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures (NERC CIP)• Continue Secure Process Training (Human Firewall)

• Evaluate Penetration Testing Results• Perform Cyber Security Gap Analysis (DHS CSET)• Practice Supply Chain Cyber Risk Management• Stay Informed on Evolving Vulnerability

Assessments

known knowns

known unknowns

unknown unknowns


• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures • Continue Secure Process Training (Human Firewall)

• Conduct Penetration Testing & Analysis• Perform Cyber Security Gap Analysis (DHS CSET)• Practice Supply Chain Cyber Risk Management• Stay Informed on Evolving Vulnerability

Assessments• Prepare for “the day after”• Perform Incident Response and Analysis - Forensics• Develop Systems Behavior Modeling

• Invest in Continuing Education

known knowns

known unknowns

unknown unknowns

DiscussionWhat do you think?



Thank you

51