Embed Size (px)
Citation preview
Tampa Convention Center • Tampa, Florida
Cybersecurity Basics For Energy Managers
Michael MylreaManager, Cybersecurity & Energy TechnologyPacific Northwest National Lab August 15, 2017
Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities
Energy Exchange: Federal Sustainability for the Next Decade2
Case Studies & Lessons LearnedUkraine Grid Cyber Attack
Lessons Learned Know and Monitor Your Critical Cyber Assets Do Not Run A Flat Network - Segregate & Secure IT/OT Networks Cyber Policies Can Reduce Human Error Hackers Often Use Very Basic Tactics to Hack Very Vulnerable Systems Implement Password Management Controls, Firewalls, Encryption & Configuration Policies
The Industrial Control System Cyber Kill Chain. Michael J. Assante and Robert M. Lee October 2015
Energy Exchange: Federal Sustainability for the Next Decade
Case Studies & Lessons Learned
3
Devil’s IvySHODAN RESEARCHMIRAI
Lessons Learned Cybersecurity starts with smart procurement and provisioning of devices Though it is easy to find vulnerabilities, you can make it tough to exploit them Patch early, Patch often, Patch Smart Security is a continuous process that requires active management of cyber risk
Energy Exchange: Federal Sustainability for the Next Decade4
Case Study: DOE Integrated Joint Cybersecurity Coordination Center – Cyber Physical ECC
Buildings Cybersecurity
Framework
Lessons Learned & Recommendations Government lacks clear cybersecurity requirements for buildings and OT cybersecurity Insider attacks, social engineering & physical access can defeat cybersecurity defenses Establish clear roles and responsibilities for buildings cybersecurity Security is a continuous process that requires active management of cyber risk
http://www.bc2m2.pnnl.gov/
www.cf.labworks.org
3 Open Source Tools to Help Protect Buildings
Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities
Energy Exchange: Federal Sustainability for the Next Decade
IJC3 Lessons Learned – Applying Facility OT Cyber Assessment Tools & Methodologies
DOE Buildings Cybersecurity
Framework
DOE Cybersecurity
Maturity Model
INL/DHS CSET
COTS Cyber Tools/Vendor
Solutions
Provides an actionable framework for establishing OT building and facility specific OT cybersecurity PROCEDURES-Implements new executive order for cybersecurity for critical infrastructure
Provides high level baseline and guidance for developing cybersecurity POLICIES for buildings OT• Adapted from over 50 cyber best practices to assess
buildings/facilities IT and OT
Helps assess the policies and procedures that are in place against industry and government best practices
Organizational Level tools
Facility Leveltools
Procedures
Policies
Measuring policies and procedures in place
Systems level Assessment
Security is a Continuous Process… Fostering a Culture of Security is Imperative. The following are a couple of easy to use tools to facilitate this process
There are are many COTS, each with their own strengths and weaknesses….but no panacea.
Limitations: Cost, know-how and risk of causing damage -scanning legacy buildings controls
Buildings Cybersecurity Frameworkhttps://cf.labworks.org
BCF Realizes Goals of the Recent Executive Order Requiring Implementation of the NIST Cyber
Framework
• Domains are logical groupings of cybersecurity practices, based on thefoundation of National Institute of Standards and Technology (NIST)Framework.
• The executive order encourages implementation of the NIST Framework which is the core of BCF and holds cabinet secretaries and agency directors responsible for the security of their organizations' information assets, as is the current law.
• "Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of information or systems," the revised draft order states.
Organization of the BCF Framework
Framework
Domains
Building Blocks
Each Domain Includes a Checklist & Security Indicator
Level (SIL)
Security Level
1
Security Level
2
Security Level3
Framework contains 5 domains
Three or more per domain. Unique to each domain
Based on NIST Cybersecurity Framework and existing best practices
Energy Exchange: Federal Sustainability for the Next Decade9
BCF Webtool Features
https://cf.labworks.org
Energy Exchange: Federal Sustainability for the Next Decade
• SANS Institute 20 Critical Security Controls• ISA 62443-3-3:2013• ISO/IEC 27001:2013• Michael Chipley; Daryl Haegley; And Eric J. Nickel, Your Building Control Systems Have Been Hacked. Now What?• DOE Cybersecurity Capability Maturity Model (C2M2)• DOE Buildings Cybersecurity Maturity Model (B-C2M2)• DOE EERE BTO Buildings Cybersecurity Whitepaper (forthcoming)• DOE EERE Building Cybersecurity Framework Overview (forthcoming)• DOE’s U.S. Department of Defense, United Facilities Criteria: Cybersecurity of Facility-Related Control Systems (UFC)• DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT)• DoD Facility-Related Control Systems Cybersecurity Guidelines• Executive Order 13636 and 13800 (May 2017)• Michael J. Assante and Robert M. Lee . The Industrial Control System Cyber Kill Chain. October 2015• National Institute of Standards and Technology Special Publication 800-53 R4 Security and Privacy Controls for
Federal Information Systems and Organizations 2013• National Institute of Standards and Technology Special Publication 800-82 R2 Guide to Industrial Control Systems
(ICS) Security 2015• National Institute of Standards and Technology Special Publication SP 800-115• United Facilities Criteria 3-410-02 Direct Digital Control for HVAC and Other Building Control Systems• Government Accountability Office Report 15-6 Federal Facility Cybersecurity 2014
10
References
Energy Exchange: Federal Sustainability for the Next Decade
Contact Info
11
Michael MylreaPacific Northwest National Lab
