Best practices in NERC CIP Compliance Programs
Protecting utility networks from cyber attack is a never-ending job. To that end, utilities are in the midst of modifying Critical Infrastructure Protection programs to not only comply with federal regulations but achieve mature security practices. In this session, panelists will discuss how their utilities are making use of the National Institute of Standards and Technology’s Cybersecurity Framework, NERC CIP standards and other security best practices for control references. Attendees will learn from those in the field on how they are shoring up their compliance programs. Panelists will discuss opportunities addressed throughout these processes and impart their lessons-learned.
Staying Ahead of the Threat: Current Trends in Physical Security
Physical security challenges remain a key priority for the utility industry. From concerns over sophisticated, targeted attacks on key infrastructure to the rise in environmental activism and vandalism, utilities must stay vigilant in their efforts to protect their assets. In this session, panelists will discuss current trends/best practices in physical security. What are the biggest challenges? What successes can be shared across the industry?
Putting Everything into Perspective: Are All Risks Business Risks?
9:45am - 10:45am
Is it blasphemy to say cybersecurity is not an operational risk? Many in the industry have been struggling to define accurate cybersecurity measurements for operational assets, and perhaps some have been looking at it the wrong way. To truly measure and reduce the cybersecurity aspect of a utility’s risk, especially those dealing with our operational assets, the role of cybersecurity must be better aligned with business goals. In this session, experts will discuss the need to alter the perception of cybersecurity from a primarily IT concern, to an everyday function of the business. Panelists will discuss ways to redefine how cybersecurity impacts are identified in operational environments. This presentation will arm attendees with information and data to make that argument and move us beyond our current limitations.
The New Paradigm in Grid Management, Cybersecurity & Critical Infrastructure Protection
The digitalization of utilities promises to optimize the supply and demand of electricity, manage the increasing number of renewable sources of energy and micro grids while offering efficiency improvements for consumers. Furthermore, the large volumes of data generated, combined with predictive analytics allows utilities to transition to a proactive mode of asset management. Such a far-reaching digital transformation comes with many challenges for critical infrastructures, with cyber security near the top of the list. The widespread connection of distributed energy resources will drastically increase the attack surfaces, which will expose utilities to new threats. Other issues such as the deployment of intelligent networks, interoperability between legacy systems and IoT devices, IT/OT convergence, equipment standardization and compliance all need to be addressed before the real benefits of the digital transformation can be achieved. Mr. Gaetan Houle, SNC-Lavalin’s Principal Security Architect, will touch upon the digital utility transformation and highlight some of the industry’s best-practices for transitioning to a secure, digitally integrated electrical grid amidst increasingly sophisticated threats.
Defense in Depth Strategy
10:30am - 11:00am
Cyber Attacks on Critical Infrastructures has risen more than 24% over the course of the past year. As time goes on, more and more Intelligent Electronic Devices (IEDs) are being deployed in Bulk Electric Systems (BES), Oil & Gas, and Transportation in order to be able to gather more data, and to help optimize efficiency. In turn, this is causing cybercriminals to turn their attention to Industrial Controls Systems (ICS) as targets. In order for operators to be able to defend against these attacks, they must implement a Defense in Depth strategy utilizing standards such as IEC 624423 and ISO 27001 along with guidelines such as the NIST Cybersecurity Framework, NCCOE Situational Awareness Planning Guide NIST SP 1800-7, and the BDEW whitepaper. While the implementation of any single strategy will not lead to full cybersecurity compliance, with the adaptation of Defense in Depth and in implementing more than one of these standards, it will help to reduce the “attack surface” which will greatly reduce the likelihood of an attacker being successful.
Threat Vectors & Attack Surfaces Related to Malware, Spyware & BYOD
3:15pm - 4:15pm
The enterprise market has for several years acknowledged the threat vectors and attack surfaces related to malware, spyware and BYOD. As such, enterprises have leveraged commercially available solutions in attempt to mitigate these risks. ICS operators, particularly electric utilities, have also made gains in protecting against these threat vectors, but most often, the protection has been deployed within the enterprise rather than the OT operational domain. Further, many evolving risks such as botnets as a service, cyber warfare, social engineering and the attack surface explosion that now includes IOT endpoints showcase the constantly increasing threat vectors that are not well mitigated in both the enterprise and ICS/OT domains. In fact, the Ukraine cyberattacks of 2016 and 2017 leveraged many of these threat vectors. West Monroe Partners and Cisco Systems have partnered with utilities to create an architecture and secure communications platform in the ICS/OT domain that will attempt to mitigate these threat vectors, attack surfaces and the Ukraine Kill Chains. This session will review the three party collaboration, the architectural guidelines, OT use cases, and validation and scoring of the resultant reference platform.
Updates on NERC CIP Compliance
4:30pm - 5:30pm
As utilities shore up their systems from all kinds of physical and cyber threats, the industry’s compliance arm is proposing new standards and requirements in an effort to manage these dangers. This session will give those responsible for implementing these standards an opportunity to hear from those crafting them. In this panel, attendees will hear current compliance trends for these evolving standards. Attendees will have an opportunity engage in an interactive dialogue regarding current best practices and upcoming changes.