security from the ground up steven parker may 3 2011 icsjwg spring conference
TRANSCRIPT
Security Security From the Ground UpFrom the Ground Up
Steven ParkerMay 3 2011
ICSJWG Spring Conference
2
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
ThesisThesis
• Because top down approaches have proven insufficient, and in some cases detrimental, to advancing the security posture of critical infrastructure, bottom up efforts are needed that engage practitioners, equip them with tools and resources, and empower them to take action.
3
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Thesis (Tweetable Thesis (Tweetable version)version)
• Security depends more on people than policy. #icsjwg #nesco
4
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Me & My OrgMe & My Org
• My name is Steve• I work for EnergySec• EnergySec is currently working exclusively
on a DOE funded project to establish the National Electric Sector Cyber Security Organization (NESCO)
5
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
One of My FailuresOne of My Failures
6
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Things I Know a LittleThings I Know a Little
7
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Things I Know a Little LessThings I Know a Little Less
• Industrial Control Systems
• EMS/DCS
• Protective relays
• Communications equipment
• SCADA
8
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
HistoryHistory
• 7/2004: EnergySec founded as E-Sec NW• 1/2008: SANS Information Sharing Award• 12/2008: Incorporated as EnergySec• 10/2009: 501(c)(3) nonprofit determination• 4/2010: EnergySec applied for National Electric
Sector Cybersecurity Organization (NESCO) FOA• 7/2010: NESCO grant award from DOE• 10/2010: NESCO became operational
9
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
What Is The NESCO?What Is The NESCO?
10
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
What NESCO Isn’tWhat NESCO Isn’t
11
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Tweetable Quote #1Tweetable Quote #1
• The collective smarts of industry peeps is orders of magnitude > any 1 person or org #icsjwg #nesco
• The collective intelligence and wisdom of industry practitioners is orders of magnitude larger than any one person or organization.
12
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
What’s Wrong with Top Down?What’s Wrong with Top Down?
• “Increasing use of corporate resources for regulation compliance activities reduces the resources available for security enhancements.”
• “For example, as a result of the NERC CIP standards, some utilities shifted to less efficient technologies because the cost to comply was greater than the cost to use an older technology. Others spent resources on compliance that were originally intended for additional cybersecurity measures.”
• ---
• http://www.controlsystemsroadmap.net/pdfs/2011_roadmap_draft.pdf
13
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
What’s Wrong with Top Down?What’s Wrong with Top Down?
• “Organizations have made PCI DSS and compliance in general the basis of their information security policies. They're basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all."
• "There are really bad people out there doing bad things and few pay attention to things like state-sponsored attacks and cyber warfare. This is because everyone's focusing on compliance,"
• http://www.csoonline.com/article/506635/analyst-pci-security-a-devil-like-no-child-left-behind-
• Josh Corman Nov 4, 2009
14
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Tweetable Quote #2Tweetable Quote #2
• Regs r like Socialism; Proponents blame failure on poor implementation, not inherent flaws #icsjwg #nesco
• Regulation is like Socialism; Proponents blame its failure on poor implementation rather than its inherent flaws
15
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
A Tale of Two ESPsA Tale of Two ESPs
• “The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter.”
16
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Tweetable Quote #3Tweetable Quote #3
• We can prescribe action, but not attitude, and attitude is the secret sauce of security #icsjwg #nesco
17
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
A Ground Up ApproachA Ground Up Approach
• Engage• Equip• Empower
17
18
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
EngageEngage
• NESCO outreach programs– Annual Summit (October 2011, San Diego)– Town Hall Meetings (August, Seattle area)– Voice Of The Industry Meetings (everywhere)– Interest Groups (Workforce Development,
Forensics, etc)– Webinars, Briefings– Portal/Forums– Email distribution lists– Social media
19
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
EquipEquip
• ROS³ES - Repository of Open Source Security Solutions for the Energy Sector– Program supporting the use and development
of open, industry specific security solutions
• NESCO Academy– Cybersecurity education and workforce
development
• Share– Case studies, good practices, tactical
awareness, etc
20
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
EmpowerEmpower
• “I'm slowly becoming a convert to the principle that you can't motivate people to do things, you can only demotivate them. The primary job of the manager is not to empower but to remove obstacles.”
• -Scott Adams, creator of Dilbert
21
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
Tweetable Quote #4Tweetable Quote #4
• The secret to securing CIKR is finding the right people and getting out of their way #icsjwg #nesco
• The secret to securing critical infrastructure is to identify the people with the requisite knowledge and skills, and then get out of their way.
22
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
The Physics of OrganizationsThe Physics of OrganizationsInertiaInertia
• Inertia is the resistance of any physical object to a change in its state of motion or rest, or the tendency of an object to resist any change in its motion. It is proportional to an object's mass.
• Even positive and needed change is hard
23
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
The Physics of OrganizationsThe Physics of OrganizationsMomentumMomentum
• Momentum is the product of the mass and velocity of an object. Like velocity, momentum is a vector quantity, possessing a direction as well as a magnitude.
• Action in the wrong direction can be worse than no action at all
24
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
The Physics of OrganizationsThe Physics of OrganizationsGravityGravity
• The force that attracts a body toward the center of the earth
• The incessant pull of mediocrity.
25
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
The Power to ChangeThe Power to Change
• a force is any influence that causes a free body to undergo a change in speed, a change in direction, or a change in shape.
• In the context of organizations and institutions, force comes from people.
26
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
You CAN Make a You CAN Make a DifferenceDifference
• "Never doubt that a small group of thoughtful, committed people can change the world. Indeed, it's the only thing that ever has." -Margaret Mead
27
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
27