The National Electric Sector Cybersecurity Organization (NESCO) was established by the U.S. Department of Energy to enhance cybersecurity information sharing in the electric sector. NESCO is operated by EnergySec, a nonprofit, and provides members with tools like a collaboration portal, rapid notification system, and Tactical Analysis Center. NESCO has grown significantly since its inception and aims to be fully industry-funded after an initial seed period supported by the Department of Energy.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Â
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by Patrick Miller, EnergySec
1. EnergySec & National
Electric Cyber Security
Organization (NESCO)
Overview
2012 Technologies for Security and Compliance Summit
The Anfield Group
August 1-2 2012
Barton Creek Resort â Austin, TX
2. New, New Security Model
ï§ Nation State quality adversaries
ï§ Fear the auditor more than
attacker
ï§ Regulatory avalanche forecast
ï§ Constant compromise
ï§ Ecosystem of organizations
ï§ Information sharing is holy grail
2
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
3. Info-Share to the Rescue!
ï§ What does Information Sharing
really mean?
â Taking vs. Sharing
â Secrecy for secrecyâs sake
â Government doesnât share well
(yet)
ï§ Very useful approach, but not a
panacea
ï§ Comes with trade-offsâŠ
3
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
4. Information Sharing Reality
Some ProsâŠ
ï§ What works, what
doesnât
ï§ Benchmarking
ï§ Situational
awareness
ï§ Tactical threat and
vulnerability analysis
ï§ Community-sourcing
ï§ Regulatory
compliance
ï§ Mentoring
4
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
Some ConsâŠ
ï§ Classification and
handling, both Gov
and Corporations
ï§ Lawyers,
agreements and
contracts
ï§ Consumers will
always outnumber
sharers
ï§ Trust; n parties
ï§ Doesnât scale well
5. Who is EnergySec?
ï§ Unique, non-profit, independent, public-
private information sharing organization
ï§ Borne from Energy Sector
ï§ Bottom-up vs. top-down
ï§ TRUSTED
â By the industry, for the industry
â Non-profit 501(c)(3)
â Independent, private
â 10+ years of information sharing experience
5
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
6. EnergySec Background
ï§ 10.2001: Precursor to E-Sec NW formed
ï§ 7.2004: E-Sec NW formalized and âfoundedâ
â Asset owner/operator ONLY; all volunteer
ï§ 1.2008: SANS Information Sharing Award
ï§ 12.2008: Incorporated E-Sec NW as
EnergySec
ï§ 10.2009: 501(c)(3) nonprofit determination
ï§ 4.2010: EnergySec applied for NESCO DOE
FOA
ï§ 7.2010: EnergySec awarded NESCO FOA
ï§ 10.2010: NESCO became operational
6
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
7. What EnergySec Is NOTâŠ
ï§ Not a lobbyist
ï§ Not a vendor
ï§ Not a consultant
ï§ Not government agency
ï§ Not a regulator
7
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
8. EnergySec Staff
ï§ Extensive applied sector experience
â Many years employment at asset owners
â Operations, security, audit, Sr mgmt, OT, IT
â Regional Entity leadership
â Independent consulting; big firms and
boutiques
â Built several successful companies
â EnergySec founders, Info-sharing pioneers
â Certified, trusted, highly connected, dedicated
8
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
9. EnergySec Programs
ï§ NESCO: Information Sharing &
Best Practices
ï§ Advisory Service
ï§ EnergySec University
â Education/Workforce
Development
ï§ LIGHTS: Security in a box
(turnkey)
â Independent board
â Partnership with ICS-ISAC
9
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
10. EnergySec Nonprofit
Umbrella
EnergySec
NESCO Advisory University OtherâŠ
10
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
11. EnergySec Advisory
ï§ Customized agenda; facilitated discussion
ï§ Examine current and horizon energy
sector specific cyber security legislation
ï§ Explore methods to meet compliance
obligations and enhance security posture
ï§ Present threat, vulnerability and impact
landscape to executives and staff
ï§ Highest concentration of advisors with
unique and hard-to-ïŹnd combination of
experience
11
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
12. EnergySec University
ï§ Professional/workforce development path
â Internal expertise as instructors
â Open faculty roster from best and brightest
â Courses in all IT/OT security-related
disciplines
ï§ Internship matchmaking â coming soon
ï§ Working closely with National Board of
Information Security Examiners (NBISE)
12
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
13. What Is NESCO?
ï§ R. 3183 â...the Secretary shall establish an
independent national energy sector cyber security
organization...â
â Department Of Energy issued FOA on March 31, 2010
ï§ Purpose is to âestablish a National Electric Sector
Cyber Security Organization that has the knowledge,
capabilities, and experience to protect the electric
grid and enhance integration of smart grid
technologies that are adequately protected against
cyber attacks.â
ï§ âThis organization will serve as a focal point to bring
together domestic and international experts,
developers, and users who will assess and test the
security of novel technology, architectures, and
applications.â
13
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
14. NESCO Objectives
ï§ Organize, lead and implement a public-private
partnership
ï§ Focus cybersecurity research and development
priorities
ï§ Identify and disseminate security best practices
ï§ Organize the collection, analysis and dissemination of
infrastructure vulnerabilities and threats
ï§ Work cooperatively with the DOE and other Federal
Agencies
ï§ Enhance cybersecurity of the bulk power grid and
electric infrastructure
14
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
15. Who Is NESCO?
15
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
âą Public
âą Private
âą Non-Reg
âą Regulatory
âą Fed, StateâŠ
âą Product
âą Service
âą IOU
âą Muni
âą Coop
Asset Owners Vendor
Academia/Research
Govt
16. Connect & Support
16
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
Utility
Asset
Owners
17. Membership Growth
17
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
18. Member Demographics
18
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
Academic
5%
Asset Owner
49%
Govt/Regulatory
11%
Vendor/Other
35%
Membership by Organization
Academic
2%
Asset Owner
64%
Govt/Regulatory
12%
Vendor/Other
22%
Membership by Individual
363 unique organizations1,050 Individual members
Predominately Asset Owner Driven Membership Base
19. Membership Overview
ï§ NESCO Members of Sept 30 2011 (1
year)
â 788 NESCO members
â 278 unique organizations
ï§ NESCO Members as of July 12 2012:
â 1050 individuals
â 363 unique organizations
Note: This represents a nearly 50% annual
growth rate
19
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
20. Social Media Outreach
ï§ NESCO mailing list: 3536
ï§ NESCO Twitter followers: 2635
ï§ NESCO LinkedIn group members: 535
20
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
21. Direct Outreach
ï§ 3 Town Hall meetings
ï§ 19 Voice of the Industry (VOI)
meetings
ï§ 82 TAC notices; 149 follow up
threads
ï§ 71 presentations/panels
ï§ 94 event participation
ï§ 37 blog mentions
ï§ 43 interviews and article citations
21
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
22. Engage, Equip & Empower
22
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
ï§ Sharing requires trust
ï§ Trust is built on relationships
ï§ Our approachâŠ
â Bringing people together
â Flexible technology options and
solutions to extend and enhance
relationships
â Organic growth; birds of a feather
23. NESCO Is Technology
ï§ Secure collaboration portal
â Wiki
â Working groups
â Discussion forums
â Email distribution lists
ï§ Rapid Notification System
ï§ Social Media
â LinkedIn, Twitter, Facebook
23
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
24. NESCO Tools
24
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
ï§ Email distribution lists
ï§ Secure collaboration wiki
ï§ Secure instant messaging
ï§ Rapid notification
mechanisms
ï§ Resource repository
ï§ Most technologies have non-
attribution (anonymous)
options
25. NESCO Resource Repository
25
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
ï§ Best/common practices
ï§ Policy, process, procedure
ï§ Compliance approaches
ï§ Document Templates
ï§ Code snippets, scripts
ï§ System configurations
ï§ Links to useful security sites
ï§ And moreâŠ
26. NESCO Tactical Analysis
Center
ï§ Supports ES-ISAC and ICS-CERT
ï§ Open & private source intelligence
ï§ Asset owner volunteer handler
SMEs with virtual âdashboardsâ
ï§ Rapid, community-sourced analysis
ï§ Secure communications
ï§ Rapid notification system
ï§ Daily diaries, trending
ï§ Quarterly & annual reports
26
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
27. ES-ISAC, ICS-CERT and TAC
ï§ An analogy⊠triage and long term care
ï§ Basic differences of the TAC
â Operated by an independent non-profit org
â Not associated with a federal regulatory agency
âą DOE partner is non-regulatory
âą Funding expires in 2014, only âseedâ money provided
âą Funding model involves cost-share, so industry bears
cost throughout entire effort
â Electric sector specific
â Provides feeds, when requested to NERC & DHS
& âŠ
27
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
28. ES-ISAC, ICS-CERT and TAC
ï§ Basic differences of the TAC
â Covers all entities, not just Registered Entities
under the NERC Functional Model
âą Not just Bulk Electric w/ CA and CCA
âą Includes smart grid, distribution, QF generation
â NESCO staff work alongside industry handlers
â RNS has direct access to security staff
â Volunteer reporting structure, not mandatory
â Private position offers unique vendor
relationships
â Anonymized pass through for bi-directional
sharing
28
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
29. NESCO Products
ï§ Whitepapers
â DNS Exfiltration
â Security Logging Best Practices and
Capability Maturity Models
â Public Key Infrastructure, Automated Metering
Infrastructure and Industrial Control Systems
â DOE Electric Sector Cybersecurity Capability
Maturity Model (ES-C2M2) â coming soon!
â What else would you like to see?
29
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
30. NESCO Products
ï§ Rapid Notification System
â Night Dragon webcast
â Duqu webcast
â Multiple TAC notices
30
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
31. NESCO Success Stories
31
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
âŠis fantastic
that [DOE
produces] a
document that
deals with a
subject so
technical and
that it makes
available to
the public.
http://goo.gl/0xiWp
32. NESCO Success Stories
ï§ Spearphishing notices from asset owner
shared with DHS for action
â Result: DHS ICS-CERT advisory issued
ï§ Accounts from service contractor posted to
Internet reviewed for asset owner data
â Result: Direct contact warning to specific
parties
32
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
33. NESCO Success Stories
ï§ Exposed control systems posted on
Internet matched to asset owners
â Result: Direct contact warning to specific
parties
ï§ EnergySec spearphishing attempt
â Result: Cross-organization comparison with
general industry advisory; IOCs published
33
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
34. NESCO Success Stories
ï§ Industry and [some] Regional Entities
seeking to modify process for Technical
Feasibility Exceptions to maximize security
benefit
â Result: NESCO provided independent and
impartial discussion forum, webinar and
industry feedback loop for proposed change
to process
34
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
35. NESCO Success Stories
35
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
36. NESCO Funding Model
ï§ Department of Energy FOA
ï§ Cooperative agreement
ï§ Cost-share is ~40%, ramps
over life of 3.5 year âseedâ
window
ï§ At end of seed
window, NESCO is fully
funded by industry
ï§ Supported by underwriters
and TAC subscriptions
36
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
37. NESCO Summary
ï§ Focused on building trust through
relationships to further security
collaboration and sharing
ï§ Flexible technology facilitates and
catalyzes information/resource sharing
efforts
ï§ Supports existing successful programs
ï§ Security voice of the electric sector
37
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
38. Get Connected
ï§ EnergySec Summit: September 25-28
â NESCO Town Hall
â CISO Forum
â Policy and Technical Tracks
ï§ EnergySec University Courses
â NERC CIP Training: Las Vegas 10/25
â NERC CIP Training: Sacramento 12/4
â Cybersecurity for Operations: Nashville 11/7
ï§ NESCO Voice of the Industry (VOI)
Meetings
38
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
39. Get Connected
ï§ www.energysec.org
ï§ www.energysec.org/join
ï§ www.energysec.org/tac-subscription-
service
ï§ TAC@energysec.org
ï§ New NESCO website soon!
39
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
40. Questions?
40
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
Patrick C Miller
Principal Investigator, National Electric Sector Cybersecurity Organization
President & CEO, EnergySec
patrick.miller@energysec.org
503.446.1212 (desk)
@patrickcmiller (twitter)
www.energysec.org