Security From the Ground Up

Security
From the Ground Up
Steven Parker
May 3 2011
ICSJWG Spring Conference

Thesis
• Because top down approaches have proven
insufficient, and in some cases detrimental, to
advancing the security posture of critical
infrastructure, bottom up efforts are needed that
engage practitioners, equip them with tools and
resources, and empower them to take action.

The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 2

Thesis (Tweetable version)

• Security depends more on
people than policy. #icsjwg
#nesco


Me & My Org
• My name is Steve
• I work for EnergySec
• EnergySec is currently working exclusively on a
DOE funded project to establish the National
Electric Sector Cyber Security Organization
(NESCO)


One of My Failures


Things I Know a Little


Things I Know a Little Less

• Industrial Control Systems
• EMS/DCS
• Protective relays
• Communications equipment
• SCADA


History
• 7/2004: EnergySec founded as E-Sec NW
• 1/2008: SANS Information Sharing Award
• 12/2008: Incorporated as EnergySec
• 10/2009: 501(c)(3) nonprofit determination
• 4/2010: EnergySec applied for National Electric Sector
Cybersecurity Organization (NESCO) FOA
• 7/2010: NESCO grant award from DOE
• 10/2010: NESCO became operational


What Is The NESCO?


What NESCO Isn’t


Tweetable Quote #1
• The collective smarts of industry peeps is orders
of magnitude > any 1 person or org #icsjwg
#nesco

• The collective intelligence and wisdom of industry
practitioners is orders of magnitude larger than
any one person or organization.


What’s Wrong with Top Down?
• “Increasing use of corporate resources for regulation
compliance activities reduces the resources available for
security enhancements.”
• “For example, as a result of the NERC CIP standards,
some utilities shifted to less efficient technologies
because the cost to comply was greater than the cost to
use an older technology. Others spent resources on
compliance that were originally intended for additional
cybersecurity measures.”
• ---
• http://www.controlsystemsroadmap.net/pdfs/2011_roadmap_draft.pdf


What’s Wrong with Top Down?
• “Organizations have made PCI DSS and compliance in
general the basis of their information security policies.
They're basing security on sloppy logic from Visa and
MasterCard and in the process are ignoring some very
bad state-sponsored threats. As a community, we have
not evolved at all."
• "There are really bad people out there doing bad things
and few pay attention to things like state-sponsored
attacks and cyber warfare. This is because everyone's
focusing on compliance,"
• http://www.csoonline.com/article/506635/analyst-pci-security-a-devil-like-no-child-left-behind-
• Josh Corman Nov 4, 2009


Tweetable Quote #2
• Regs r like Socialism; Proponents blame failure
on poor implementation, not inherent flaws
#icsjwg #nesco

• Regulation is like Socialism; Proponents blame
its failure on poor implementation rather than its
inherent flaws


A Tale of Two ESPs
• “The Responsible Entity shall ensure that every
Critical Cyber Asset resides within an Electronic
Security Perimeter.”


Tweetable Quote #3
• We can prescribe action, but not attitude, and
attitude is the secret sauce of security #icsjwg
#nesco


A Ground Up Approach

• Engage
• Equip
• Empower


Engage
• NESCO outreach programs
– Annual Summit (October 2011, San Diego)
– Town Hall Meetings (August, Seattle area)
– Voice Of The Industry Meetings (everywhere)
– Interest Groups (Workforce Development, Forensics,
etc)
– Webinars, Briefings
– Portal/Forums
– Email distribution lists
– Social media

Equip
• ROS³ES - Repository of Open Source Security
Solutions for the Energy Sector
– Program supporting the use and development of open,
industry specific security solutions
• NESCO Academy
– Cybersecurity education and workforce development
• Share
– Case studies, good practices, tactical awareness, etc


Empower
• “I'm slowly becoming a convert to the principle
that you can't motivate people to do things, you
can only demotivate them. The primary job of the
manager is not to empower but to remove
obstacles.”
• -Scott Adams, creator of Dilbert


Tweetable Quote #4
• The secret to securing CIKR is finding the right
people and getting out of their way #icsjwg
#nesco

• The secret to securing critical infrastructure is to
identify the people with the requisite knowledge
and skills, and then get out of their way.


The Physics of Organizations
Inertia
• Inertia is the resistance
of any physical object to
a change in its state of
motion or rest, or the
tendency of an object to
resist any change in its
motion. It is
proportional to an
object's mass.

• Even positive and
needed change is hard

Momentum
• Momentum is the
product of the mass
and velocity of an
object. Like velocity,
momentum is a vector
quantity, possessing a
direction as well as a
magnitude.

• Action in the wrong
direction can be worse
than no action at all

Gravity
• The force that attracts a
body toward the center of
the earth

• The incessant pull of
mediocrity.


The Power to Change
• a force is any influence that causes a free body
to undergo a change in speed, a change in
direction, or a change in shape.

• In the context of organizations and institutions,
force comes from people.


You CAN Make a
Difference
• "Never doubt that a small group of thoughtful,
committed people can change the world. Indeed,
it's the only thing that ever has." -Margaret Mead


Security From the Ground Up

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Security From the Ground Up

Ähnlich wie Security From the Ground Up (20)

Mehr von EnergySec

Mehr von EnergySec (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security From the Ground Up