Presented by: Gib Sorebo, SAIC Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.

1. NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY
© SAIC. All rights reserved.
Cybersecurity for Energy: Moving Beyond Compliance

2. SAIC.com
© SAIC. All rights reserved.
The Threats Keep Coming….
2
• 1998: Telephone switch hack closes an airport
• 2000: Gazprom central control is hacked
• 2000: Australian hacker causes environmental harm by releasing sewage
• 2001: Hackers protesting U.S./China conflict enter U.S. electric power systems
• 2003: Power outages in northeastern United States occur
• 2003: Worm shuts systems down at Davis-Besse nuclear plant
• 2006: Zotob virus shuts down Holden car manufacturing plant (Australia)
• 2007: Aurora demonstration shows damage a remote hacker can cause physical
harm to a generator
• 2008: Intruder installed malware causing damage to Sacramento River diverter
• 2010: Stuxnet discovered
• 2012: Saudi Aramco targeted by Shamoon virus wiping out 30,000 hard drives

3. SAIC.com
© SAIC. All rights reserved.
….And Our Defenses Struggle to Keep Up
Threat Briefing: Escalating Security Threats
3
• Attackers prefer lower-tech attack methods if they work
• Attacks are tailored to the defenses they need to breach
• As defenses improve, attacks will escalate to breach them, then step back down
• Improve defenses in one area and attackers move to other areas that are weaker
Attacks
Defenses
Phishing
Spear Phishing
Published Vulnerabilities:
(Browser, App, OS)
Web Attacks:
(SQL Inject; Cross-Site Script)
Credential Harvesting & Abuse:
(Keylogger, Pass-the-Hash)
2 factor Compromise:
(Session hijack, OTP capture, Cert theft)
Break Weak Crypto / Password
Zero Day:
(Browser, App, OS)
Driver / BIOS / Hardware:
(Vulnerability, Zero-Day)
Hypervisor Breach:
(Vulnerability, Zero-Day)
Break Strong Cryptography
Firewall
Anti-Virus
Patching
Network IDS
Host Firewall, Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
Network Segmentation
Physical Isolation
Hardened operating system
Data Protection / Encryption
Secure Coding
Access Control
App Whitelisting
App Hardening
High Assurance hardware
2-Factor Authentication
Log Consolidation
In-Memory Malware Detection
Increasing Difficulty
APT
Hackers
Hacktivists
Viruses
Network Breach:
(Firewall, Switch, Router)
BIOS = Binary Input
Output System
APT = Advanced Persistent
Threat
OS = Operating System
OTP = One-time Password
Cert = Certificate

4. SAIC.com
© SAIC. All rights reserved.
Cybersecurity is Becoming a Board-level Issue
Reuters, October 13, 2011
National Association of Corporate Directors

5. SAIC.com
© SAIC. All rights reserved.
Turning Cybersecurity Risk Into a Business Risk
• Nuisance Example: Isolated malware infections
– Typically occur at rate of 6% of computers per year
– One oil company estimated cost at $4000 per machine (including productivity losses)
5
• Slightly Less of a Nuisance: Customer Data Breach Losses
– Ponemon Institute estimated at $194 per record (most of cost is future lost business)
– TJX saw losses of more than $171 million for its 2006 data breach; Heartland Payments Systems had
130 million credit card numbers breached in 2009
– For most customer data breaches, however, the relevant costs are minor as harms are hard to prove and
the reputational damage is short-lived
• For utilities, greatest threats through cybersecurity attack are on ability to operate
– Maintaining stability of transmission and distribution grids (preventing widespread outages)
– Keeping hard to replace equipment from being damaged or destroyed (Aurora)
– Protecting human lives (fires, electrocutions, explosions, radiation)
– Ability to maintain cash flow (integrity of financial records, ability to bill and receive payments, access to
bank accounts to pay suppliers)
– Ability to generate and coordinate (independent system operator functions, automated generation
control)

6. SAIC.com
© SAIC. All rights reserved.
What About These “Cyber” Risks?
“Examples of true incidents that have been labelled cyber security breaches are as follows:
– a mis-sent email (a strategy document sent to a competitor);
– commercial papers lost on a train;
– a former employee that was not legally prevented from taking bid information to a
competitor;
– a laptop left on a plane with passwords attached; and careless use of social media giving
away IPR,
– and more frequently, because it's cheaper, the use of social engineering ("new best
friends" who buy you drinks all night at the bar, fascinated by your company).”
Andrew Fitzmaurice, The Guardian, July 25, 2013
http://www.guardian.co.uk/media-network/media-network-blog/2013/jul/25/cyber-security-board-level-information-technology
6

7. SAIC.com
© SAIC. All rights reserved.
Organizing Around Business Risk
• The Banking Experience (Basel II/III)
– Organizes risk around categories that can be measured and contribute to organization’s
overall risk posture that influence capital requirements
7
Influence on Capital
Requirements Market
Risk
Credit Risk
Liquidity
Risk
Operational
Risk
Operational Risk
Components
Legal
Human Resources
Physical Security/
Facilities
Procurement
IT (Performance,
Security,
Capacity)
IT – Information Technology

8. SAIC.com
© SAIC. All rights reserved.
Business Risk for Utilities
8
• Align by function/business area
– Harder to tie in financial metrics that benefit from lower risk (bond ratings?)
Utility Business Risks T&D Reliability
Energy Trading
Key Equipment
Protection
Human Safety
Operational Risk
Operational Risk Cash Flow
Compliance
Human Resources
Facilities
IT (Performance,
Security,
Capacity)
T&D – Transmission & Distribution
IT- Information Technology

9. SAIC.com
© SAIC. All rights reserved.
Governance Model
9
• Who does cybersecurity organization report to?
– In many, it’s the Chief Information Officer
– Can reporting reach executive and board level stakeholders?
– Do policies regularly get the backing of the CEO?
• Budget
– Is the cybersecurity budget tied to major initiatives (transmission expansion,
safety initiatives, new substations)?
– Is there a relationship between cybersecurity risk and other major risks?
• As new meters, sensors, and relays are added, is cybersecurity risk adjusted along
with its budget?
• Are improvements in grid reliability correlated with improvement in cybersecurity?
– Are cybersecurity budget line items evaluated for how they help reduce major
business risks or even other operational risks?

10. SAIC.com
© SAIC. All rights reserved.
Moving from a Tactical to Risk Management
Mindset
10
• What gets reported?
– Malware infections vs. business disruptions
– Data breaches/lost laptops vs. value at risk
– Attacks blocked vs. threats averted
• How are resources allocated for cybersecurity?
Tactical
• Firewall management
• Log management
• Authentication
• Endpoint security
• Server security
Risk Management
• T&D grid stability
• Customer data protection
• Energy trading integrity
• Key asset protection
• Health and safety
T&D – Transmission & Distribution

11. SAIC.com
© SAIC. All rights reserved.
From Resistance to Resiliency and Recovery
11
• Do you know what your response will be if…
– You cannot trust the data coming from your substations
– Customer billing data has been corrupted
– Hackers have brought down your Energy Management System, and you’re not
sure if all malware has been removed
– A smart meter firmware update that was just applied contains malicious code
that shuts off power and then ceases communication?
• Most utilities run disaster recovery and business continuity drills but
usually focus on natural events and not malicious and sentient actors
• While prevention and detection are necessary, successful programs
assume response and recovery will be required and plan accordingly

12. SAIC.com
© SAIC. All rights reserved.
Where to Start
12
• How can you tell how good a job you are doing?
– Mapping to business risks helps to speak to the board but day to day challenges
still require a comprehensive approach
– Frameworks can help if used in the context of business risk
• NERC CIP, NIST SP 800-53/800-82, ISO 27001, IEC 62443*
• Need maturity models and means of comparison with peers
Electricity
Subsector
Cybersecurity
Capability
Maturity
Model
US Department of
Energy
Maturity
Indicator Levels
(MIL):
MIL1: Initiated
MIL2: Performed
MIL3: Managed
*See last slide for acronyms

13. SAIC.com
© SAIC. All rights reserved.
Managing IT Security Capabilities
13
# Functional Area Architect Design Deploy Support Retire Maintain Operate
1
Security Infrastructure
Management
X X X X X X X
2 Network Admin & Security X X X X X X X
3 Application Security X X X X X X X
4 Endpoint & Server Security X X X X X X X
5
Cryptography &
Data Protection
X X X X X X X
6
Identity Management &
Authentication
X X X X X X X
7
Asset Management & Supply
Chain
X X X X X X X
8
Monitoring & Vulnerability
Management
X X X X X X X
9 Incident Response X X X X X X X
10
Policy & Audit & E-Discovery
& Training
X X X X X X X
• Need to apply controls from a lifecycle and functional perspective such as Integrated Strategy &
Architecture, Integrated Operations, and Engineering services in each of Ten Functional Areas as
indicated below.
Strategy & Architecture OperationsEngineering

14. SAIC.com
© SAIC. All rights reserved.
Along with Some Control System Considerations
14
Bridging the Information Technology (IT) / Operations Technology (OT) divide will
be critical to successful program as the threats hit IT first, but the biggest impact
is felt on the OT side.

15. SAIC.com
© SAIC. All rights reserved.
Integrating the Data
15
• Frameworks operate at 10,000 feet, threats at ground level
– Need automated mechanisms to report current state
– In government, we often use the term “continuous monitoring;” commercially it’s
often “enterprise vulnerability management”
– Also need to ensure mandated controls stay current with threats
Operations/Engineering
Physical Security
IT-Telecom/Cybersecurity
Roles-
based
Correlation

16. SAIC.com
© SAIC. All rights reserved.
Putting It All Together
16
Strategy & Risk Management
– Assessing and Reporting
– Mapping security controls to
acceptable risk posture
– Making sure cybersecurity risks are
associated with business risks
Security Operations
– Monitoring systems and networks for
attacks
– Continuously monitoring for
vulnerabilities and policy violations
– Aggressively seeking out threat
intelligence
– Responding to incidents and
assisting with the recovery
Security Engineering
– Researching new protection techniques
– Designing, deploying, and supporting new
security tools and technologies
– Aligning security tools, techniques, and
technologies with organization’s culture
and business drivers
Governance
& Oversight

17. SAIC.com
© SAIC. All rights reserved.
Budgets: How Much Security is Enough?
17
• The industry norms
– Cybersecurity budgets in all industries tend to range from 3 to 10% of information
technology budget
– For utilities, that number is closer to 3-5%
– IT budgets vary considerably by industry given different ways revenue is generated
– For many, 2-5% of revenue is typical for an IT budget
– For energy companies, operations technology (such as control systems) may be
additional
• Criteria for additional expenditures
– Regulatory compliance (as much as 50% of security budget)
– Requirements to meet business continuity objectives
– Desire to meet industry best practices (such as encryption of all removable storage)
– Changing threat landscape
– Easily exploitable vulnerabilities
– Achieving acceptable risk posture (most subjective & hardest to substantiate)

18. SAIC.com
© SAIC. All rights reserved.
Example: Incorporating New Threats
18
• Stuxnet
– Highly targeted and advanced attack on an Iranian nuclear power plant
– Included several “zero day” exploits (malicious software targeting vulnerabilities
that had not been publicly known
– Likely introduced into “air-gapped” environment through flash drive
Updating security policy and related controls
Removable Media
Practices
“Out of band”
monitoring
Application
Whitelisting
Obtain buy-in from senior
management
Tie changes to key
business objectives (such
as key asset protection)
Update budget
Update policies &
train employees
Deploy software
Integrate
technology

19. SAIC.com
© SAIC. All rights reserved.
19
In Summary
Keys for
Successful
Security
Program
Compliance
Through
Lower Risk
Crossing
Organization
Boundaries
A Strategic
Approach
Future Aware
Holistic
Security
Approach

20. Discussion
For more information contact:
Gib Sorebo
SAIC Vice President /Chief Cybersecurity Technologist
phone: 703-676-2605 | email: sorebog@saic.com

21. SAIC.com
© SAIC. All rights reserved.
Acronyms
21
NERC – North American Electric Reliability Corporation
CIP – Critical Infrastructure Protection
NIST SP – National Institute for Standards and Technology Special Publication
ISO – International Standards Organization
IEC – International Electrotechnical Commission