Steve Parker presented during the plenary session at the 2011 ICSJWG Spring Conference. This presentation addressed a brief overview of NESCO then quickly got into the concept of "Security From the Ground Up". This dynamic presentation was well received by the industry.
2. Thesis
• Because top down approaches have proven
insufficient, and in some cases detrimental, to
advancing the security posture of critical
infrastructure, bottom up efforts are needed that
engage practitioners, equip them with tools and
resources, and empower them to take action.
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 2
3. Thesis (Tweetable version)
• Security depends more on
people than policy. #icsjwg
#nesco
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 3
4. Me & My Org
• My name is Steve
• I work for EnergySec
• EnergySec is currently working exclusively on a
DOE funded project to establish the National
Electric Sector Cyber Security Organization
(NESCO)
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 4
5. One of My Failures
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 5
6. Things I Know a Little
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 6
7. Things I Know a Little Less
• Industrial Control Systems
• EMS/DCS
• Protective relays
• Communications equipment
• SCADA
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 7
8. History
• 7/2004: EnergySec founded as E-Sec NW
• 1/2008: SANS Information Sharing Award
• 12/2008: Incorporated as EnergySec
• 10/2009: 501(c)(3) nonprofit determination
• 4/2010: EnergySec applied for National Electric Sector
Cybersecurity Organization (NESCO) FOA
• 7/2010: NESCO grant award from DOE
• 10/2010: NESCO became operational
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 8
9. What Is The NESCO?
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 9
10. What NESCO Isn’t
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 10
11. Tweetable Quote #1
• The collective smarts of industry peeps is orders
of magnitude > any 1 person or org #icsjwg
#nesco
• The collective intelligence and wisdom of industry
practitioners is orders of magnitude larger than
any one person or organization.
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 11
12. What’s Wrong with Top Down?
• “Increasing use of corporate resources for regulation
compliance activities reduces the resources available for
security enhancements.”
• “For example, as a result of the NERC CIP standards,
some utilities shifted to less efficient technologies
because the cost to comply was greater than the cost to
use an older technology. Others spent resources on
compliance that were originally intended for additional
cybersecurity measures.”
• ---
• http://www.controlsystemsroadmap.net/pdfs/2011_roadmap_draft.pdf
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 12
13. What’s Wrong with Top Down?
• “Organizations have made PCI DSS and compliance in
general the basis of their information security policies.
They're basing security on sloppy logic from Visa and
MasterCard and in the process are ignoring some very
bad state-sponsored threats. As a community, we have
not evolved at all."
• "There are really bad people out there doing bad things
and few pay attention to things like state-sponsored
attacks and cyber warfare. This is because everyone's
focusing on compliance,"
• http://www.csoonline.com/article/506635/analyst-pci-security-a-devil-like-no-child-left-behind-
• Josh Corman Nov 4, 2009
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 13
14. Tweetable Quote #2
• Regs r like Socialism; Proponents blame failure
on poor implementation, not inherent flaws
#icsjwg #nesco
• Regulation is like Socialism; Proponents blame
its failure on poor implementation rather than its
inherent flaws
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 14
15. A Tale of Two ESPs
• “The Responsible Entity shall ensure that every
Critical Cyber Asset resides within an Electronic
Security Perimeter.”
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 15
16. Tweetable Quote #3
• We can prescribe action, but not attitude, and
attitude is the secret sauce of security #icsjwg
#nesco
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 16
17. A Ground Up Approach
• Engage
• Equip
• Empower
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 17
18. Engage
• NESCO outreach programs
– Annual Summit (October 2011, San Diego)
– Town Hall Meetings (August, Seattle area)
– Voice Of The Industry Meetings (everywhere)
– Interest Groups (Workforce Development, Forensics,
etc)
– Webinars, Briefings
– Portal/Forums
– Email distribution lists
– Social media
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 18
19. Equip
• ROS³ES - Repository of Open Source Security
Solutions for the Energy Sector
– Program supporting the use and development of open,
industry specific security solutions
• NESCO Academy
– Cybersecurity education and workforce development
• Share
– Case studies, good practices, tactical awareness, etc
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 19
20. Empower
• “I'm slowly becoming a convert to the principle
that you can't motivate people to do things, you
can only demotivate them. The primary job of the
manager is not to empower but to remove
obstacles.”
• -Scott Adams, creator of Dilbert
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 20
21. Tweetable Quote #4
• The secret to securing CIKR is finding the right
people and getting out of their way #icsjwg
#nesco
• The secret to securing critical infrastructure is to
identify the people with the requisite knowledge
and skills, and then get out of their way.
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 21
22. The Physics of Organizations
Inertia
• Inertia is the resistance
of any physical object to
a change in its state of
motion or rest, or the
tendency of an object to
resist any change in its
motion. It is
proportional to an
object's mass.
• Even positive and
needed change is hard
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 22
23. The Physics of Organizations
Momentum
• Momentum is the
product of the mass
and velocity of an
object. Like velocity,
momentum is a vector
quantity, possessing a
direction as well as a
magnitude.
• Action in the wrong
direction can be worse
than no action at all
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 23
24. The Physics of Organizations
Gravity
• The force that attracts a
body toward the center of
the earth
• The incessant pull of
mediocrity.
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 24
25. The Power to Change
• a force is any influence that causes a free body
to undergo a change in speed, a change in
direction, or a change in shape.
• In the context of organizations and institutions,
force comes from people.
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 25
26. You CAN Make a
Difference
• "Never doubt that a small group of thoughtful,
committed people can change the world. Indeed,
it's the only thing that ever has." -Margaret Mead
The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 26
27. The National Electric Sector Cybersecurity Organization
(NESCO) is a DOE-funded EnergySec Program 27