1. SecurityFrom the Ground Up Steven ParkerMay 3 2011ICSJWG Spring Conference

2. Thesis Because top down approaches have proveninsufficient, and in some cases detrimental, toadvancing the security posture of criticalinfrastructure, bottom up efforts are needed thatengage practitioners, equip them with tools andresources, and empower them to take action.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 2 3. Thesis (Tweetable version) Security depends more onpeople than policy. #icsjwg#nescoThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 3 4. Me & My Org My name is Steve I work for EnergySec EnergySec is currently working exclusively on aDOE funded project to establish the NationalElectric Sector Cyber Security Organization(NESCO)The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 4 5. One of My FailuresThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 5 6. Things I Know a LittleThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 6 7. Things I Know a Little Less Industrial Control Systems EMS/DCS Protective relays Communications equipment SCADAThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 7 8. History 7/2004: EnergySec founded as E-Sec NW 1/2008: SANS Information Sharing Award 12/2008: Incorporated as EnergySec 10/2009: 501(c)(3) nonprofit determination 4/2010: EnergySec applied for National Electric SectorCybersecurity Organization (NESCO) FOA 7/2010: NESCO grant award from DOE 10/2010: NESCO became operationalThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program8 9. What Is The NESCO?The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 9 10. What NESCO IsntThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 10 11. Tweetable Quote #1 The collective smarts of industry peeps is ordersof magnitude > any 1 person or org #icsjwg#nesco The collective intelligence and wisdom of industrypractitioners is orders of magnitude larger thanany one person or organization.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 11 12. Whats Wrong with Top Down? Increasing use of corporate resources for regulationcompliance activities reduces the resources available forsecurity enhancements. For example, as a result of the NERC CIP standards,some utilities shifted to less efficient technologiesbecause the cost to comply was greater than the cost touse an older technology. Others spent resources oncompliance that were originally intended for additionalcybersecurity measures. --- http://www.controlsystemsroadmap.net/pdfs/2011_roadmap_draft.pdfThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program12 13. Whats Wrong with Top Down? Organizations have made PCI DSS and compliance ingeneral the basis of their information security policies.Theyre basing security on sloppy logic from Visa andMasterCard and in the process are ignoring some verybad state-sponsored threats. As a community, we havenot evolved at all." "There are really bad people out there doing bad thingsand few pay attention to things like state-sponsoredattacks and cyber warfare. This is because everyonesfocusing on compliance," http://www.csoonline.com/article/506635/analyst-pci-security-a-devil-like-no-child-left-behind- Josh Corman Nov 4, 2009The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 13 14. Tweetable Quote #2 Regs r like Socialism; Proponents blame failureon poor implementation, not inherent flaws#icsjwg #nesco Regulation is like Socialism; Proponents blameits failure on poor implementation rather than itsinherent flawsThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 14 15. A Tale of Two ESPs The Responsible Entity shall ensure that everyCritical Cyber Asset resides within an ElectronicSecurity Perimeter.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 15 16. Tweetable Quote #3 We can prescribe action, but not attitude, andattitude is the secret sauce of security #icsjwg#nescoThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 16 17. A Ground Up Approach Engage Equip EmpowerThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 17 18. Engage NESCO outreach programs Annual Summit (October 2011, San Diego) Town Hall Meetings (August, Seattle area) Voice Of The Industry Meetings (everywhere) Interest Groups (Workforce Development, Forensics,etc) Webinars, Briefings Portal/Forums Email distribution lists Social mediaThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program18 19. Equip ROSES - Repository of Open Source SecuritySolutions for the Energy Sector Program supporting the use and development of open, industry specific security solutions NESCO Academy Cybersecurity education and workforce development Share Case studies, good practices, tactical awareness, etcThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 19 20. Empower Im slowly becoming a convert to the principlethat you cant motivate people to do things, youcan only demotivate them. The primary job of themanager is not to empower but to removeobstacles. -Scott Adams, creator of DilbertThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 20 21. Tweetable Quote #4 The secret to securing CIKR is finding the rightpeople and getting out of their way #icsjwg#nesco The secret to securing critical infrastructure is toidentify the people with the requisite knowledgeand skills, and then get out of their way.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 21 22. The Physics of OrganizationsInertia Inertia is the resistanceof any physical object toa change in its state ofmotion or rest, or thetendency of an object toresist any change in itsmotion. It isproportional to anobjects mass. Even positive andneeded change is hardThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 22 23. The Physics of OrganizationsMomentum Momentum is theproduct of the massand velocity of anobject. Like velocity,momentum is a vectorquantity, possessing adirection as well as amagnitude. Action in the wrongdirection can be worsethan no action at allThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program23 24. The Physics of OrganizationsGravity The force that attracts abody toward the center ofthe earth The incessant pull ofmediocrity.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 24 25. The Power to Change a force is any influence that causes a free bodyto undergo a change in speed, a change indirection, or a change in shape. In the context of organizations and institutions,force comes from people.The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 25 26. You CAN Make a Difference "Never doubt that a small group of thoughtful,committed people can change the world. Indeed,its the only thing that ever has." -Margaret MeadThe National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 26 27. The National Electric Sector Cybersecurity Organization(NESCO) is a DOE-funded EnergySec Program 27