SlideShare a Scribd company logo

Security From the Ground Up

Download as PPT, PDF
EnergySec
EnergySec

Steve Parker presented during the plenary session at the 2011 ICSJWG Spring Conference. This presentation addressed a brief overview of NESCO then quickly got into the concept of "Security From the Ground Up". This dynamic presentation was well received by the industry.

Technology
1 of 27
Security From the Ground Up Steven Parker May 3 2011 ICSJWG Spring Conference
Thesis • Because top down approaches have proven insufficient, and in some cases detrimental, to advancing the security posture of critical infrastructure, bottom up efforts are needed that engage practitioners, equip them with tools and resources, and empower them to take action. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 2
Thesis (Tweetable version) • Security depends more on people than policy. #icsjwg #nesco The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 3
Me & My Org • My name is Steve • I work for EnergySec • EnergySec is currently working exclusively on a DOE funded project to establish the National Electric Sector Cyber Security Organization (NESCO) The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 4
One of My Failures The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 5
Things I Know a Little The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 6
Things I Know a Little Less • Industrial Control Systems • EMS/DCS • Protective relays • Communications equipment • SCADA The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 7
History • 7/2004: EnergySec founded as E-Sec NW • 1/2008: SANS Information Sharing Award • 12/2008: Incorporated as EnergySec • 10/2009: 501(c)(3) nonprofit determination • 4/2010: EnergySec applied for National Electric Sector Cybersecurity Organization (NESCO) FOA • 7/2010: NESCO grant award from DOE • 10/2010: NESCO became operational The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 8
What Is The NESCO? The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 9
What NESCO Isn’t The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 10
Tweetable Quote #1 • The collective smarts of industry peeps is orders of magnitude > any 1 person or org #icsjwg #nesco • The collective intelligence and wisdom of industry practitioners is orders of magnitude larger than any one person or organization. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 11
What’s Wrong with Top Down? • “Increasing use of corporate resources for regulation compliance activities reduces the resources available for security enhancements.” • “For example, as a result of the NERC CIP standards, some utilities shifted to less efficient technologies because the cost to comply was greater than the cost to use an older technology. Others spent resources on compliance that were originally intended for additional cybersecurity measures.” • --- • http://www.controlsystemsroadmap.net/pdfs/2011_roadmap_draft.pdf The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 12
What’s Wrong with Top Down? • “Organizations have made PCI DSS and compliance in general the basis of their information security policies. They're basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all." • "There are really bad people out there doing bad things and few pay attention to things like state-sponsored attacks and cyber warfare. This is because everyone's focusing on compliance," • http://www.csoonline.com/article/506635/analyst-pci-security-a-devil-like-no-child-left-behind- • Josh Corman Nov 4, 2009 The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 13
Tweetable Quote #2 • Regs r like Socialism; Proponents blame failure on poor implementation, not inherent flaws #icsjwg #nesco • Regulation is like Socialism; Proponents blame its failure on poor implementation rather than its inherent flaws The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 14
A Tale of Two ESPs • “The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter.” The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 15
Tweetable Quote #3 • We can prescribe action, but not attitude, and attitude is the secret sauce of security #icsjwg #nesco The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 16
A Ground Up Approach • Engage • Equip • Empower The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 17
Engage • NESCO outreach programs – Annual Summit (October 2011, San Diego) – Town Hall Meetings (August, Seattle area) – Voice Of The Industry Meetings (everywhere) – Interest Groups (Workforce Development, Forensics, etc) – Webinars, Briefings – Portal/Forums – Email distribution lists – Social media The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 18
Equip • ROS³ES - Repository of Open Source Security Solutions for the Energy Sector – Program supporting the use and development of open, industry specific security solutions • NESCO Academy – Cybersecurity education and workforce development • Share – Case studies, good practices, tactical awareness, etc The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 19
Empower • “I'm slowly becoming a convert to the principle that you can't motivate people to do things, you can only demotivate them. The primary job of the manager is not to empower but to remove obstacles.” • -Scott Adams, creator of Dilbert The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 20
Tweetable Quote #4 • The secret to securing CIKR is finding the right people and getting out of their way #icsjwg #nesco • The secret to securing critical infrastructure is to identify the people with the requisite knowledge and skills, and then get out of their way. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 21
The Physics of Organizations Inertia • Inertia is the resistance of any physical object to a change in its state of motion or rest, or the tendency of an object to resist any change in its motion. It is proportional to an object's mass. • Even positive and needed change is hard The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 22
The Physics of Organizations Momentum • Momentum is the product of the mass and velocity of an object. Like velocity, momentum is a vector quantity, possessing a direction as well as a magnitude. • Action in the wrong direction can be worse than no action at all The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 23
The Physics of Organizations Gravity • The force that attracts a body toward the center of the earth • The incessant pull of mediocrity. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 24
The Power to Change • a force is any influence that causes a free body to undergo a change in speed, a change in direction, or a change in shape. • In the context of organizations and institutions, force comes from people. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 25
You CAN Make a Difference • "Never doubt that a small group of thoughtful, committed people can change the world.  Indeed, it's the only thing that ever has."  -Margaret Mead The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 26
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 27

Recommended

Next Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric SectorNext Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric SectorEnergySec
 
EnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec
 
A Decision Tree for INSPIRE Compliance
A Decision Tree for INSPIRE ComplianceA Decision Tree for INSPIRE Compliance
A Decision Tree for INSPIRE ComplianceJISC GECO
 
Ap exam big idea 7 global impact
Ap exam big idea 7 global impactAp exam big idea 7 global impact
Ap exam big idea 7 global impactLexume1
 
Program | Symposium 2011
Program | Symposium 2011Program | Symposium 2011
Program | Symposium 2011GW Solar Institute
 
NESCO/NESCOR Joint Overview
NESCO/NESCOR Joint OverviewNESCO/NESCOR Joint Overview
NESCO/NESCOR Joint OverviewEnergySec
 
Security From the Ground Up
Security From the Ground UpSecurity From the Ground Up
Security From the Ground UpEnergySec
 
NESCO: A Closer Look
NESCO: A Closer LookNESCO: A Closer Look
NESCO: A Closer LookEnergySec
 

Recommended

Next Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric SectorNext Generation Information Sharing For The Electric Sector
Next Generation Information Sharing For The Electric SectorEnergySec
 
EnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec & NESCO Overview
EnergySec & NESCO OverviewEnergySec
 
A Decision Tree for INSPIRE Compliance
A Decision Tree for INSPIRE ComplianceA Decision Tree for INSPIRE Compliance
A Decision Tree for INSPIRE ComplianceJISC GECO
 
Ap exam big idea 7 global impact
Ap exam big idea 7 global impactAp exam big idea 7 global impact
Ap exam big idea 7 global impactLexume1
 
Program | Symposium 2011
Program | Symposium 2011Program | Symposium 2011
Program | Symposium 2011GW Solar Institute
 
NESCO/NESCOR Joint Overview
NESCO/NESCOR Joint OverviewNESCO/NESCOR Joint Overview
NESCO/NESCOR Joint OverviewEnergySec
 
Security From the Ground Up
Security From the Ground UpSecurity From the Ground Up
Security From the Ground UpEnergySec
 
NESCO: A Closer Look
NESCO: A Closer LookNESCO: A Closer Look
NESCO: A Closer LookEnergySec
 
Next Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric SectorNext Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric SectorEnergySec
 
EnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsEnergySec
 
EISS Cybersecurity Briefing
EISS Cybersecurity BriefingEISS Cybersecurity Briefing
EISS Cybersecurity BriefingEnergySec
 
NESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD MeetingNESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD MeetingEnergySec
 
Emerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD MeetingEmerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD MeetingEnergySec
 
Bridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITBridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITEnergySec
 
Don't Get Hacked! Cybersecurity Boot Camp
Don't Get Hacked! Cybersecurity Boot CampDon't Get Hacked! Cybersecurity Boot Camp
Don't Get Hacked! Cybersecurity Boot CampEnergySec
 
Interoperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business PerspectiveInteroperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business PerspectiveEnergySec
 
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo..."How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...Smart Grid Interoperability Panel
 
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...DETER-Project
 
NESCO Year 2 Overview
NESCO Year 2 OverviewNESCO Year 2 Overview
NESCO Year 2 OverviewEnergySec
 
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...EnergySec
 
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...TheAnfieldGroup
 
Sciencewise Energy infrastructure webinar
Sciencewise Energy infrastructure webinarSciencewise Energy infrastructure webinar
Sciencewise Energy infrastructure webinarSciencewise
 
TAC Subscription Webinar
TAC Subscription WebinarTAC Subscription Webinar
TAC Subscription WebinarEnergySec
 
Managing Complexity in a World of Surprise David L. Alderson, PhD
Managing Complexity in a World of Surprise David L. Alderson, PhDManaging Complexity in a World of Surprise David L. Alderson, PhD
Managing Complexity in a World of Surprise David L. Alderson, PhDPacificResearchPlatform
 
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDS
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDSBUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDS
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDSiQHub
 
Critical Infrastructure Protection: Beating the Odds
Critical Infrastructure Protection: Beating the Odds Critical Infrastructure Protection: Beating the Odds
Critical Infrastructure Protection: Beating the Odds IPPAI
 
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETS
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETSSEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETS
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETSS. F. (Sid) Nash
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 

More Related Content

Similar to Security From the Ground Up

Next Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric SectorNext Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric SectorEnergySec
 
EnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsEnergySec
 
EISS Cybersecurity Briefing
EISS Cybersecurity BriefingEISS Cybersecurity Briefing
EISS Cybersecurity BriefingEnergySec
 
NESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD MeetingNESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD MeetingEnergySec
 
Emerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD MeetingEmerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD MeetingEnergySec
 
Bridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITBridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITEnergySec
 
Don't Get Hacked! Cybersecurity Boot Camp
Don't Get Hacked! Cybersecurity Boot CampDon't Get Hacked! Cybersecurity Boot Camp
Don't Get Hacked! Cybersecurity Boot CampEnergySec
 
Interoperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business PerspectiveInteroperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business PerspectiveEnergySec
 
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo..."How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...Smart Grid Interoperability Panel
 
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...DETER-Project
 
NESCO Year 2 Overview
NESCO Year 2 OverviewNESCO Year 2 Overview
NESCO Year 2 OverviewEnergySec
 
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...EnergySec
 
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...TheAnfieldGroup
 
Sciencewise Energy infrastructure webinar
Sciencewise Energy infrastructure webinarSciencewise Energy infrastructure webinar
Sciencewise Energy infrastructure webinarSciencewise
 
TAC Subscription Webinar
TAC Subscription WebinarTAC Subscription Webinar
TAC Subscription WebinarEnergySec
 
Managing Complexity in a World of Surprise David L. Alderson, PhD
Managing Complexity in a World of Surprise David L. Alderson, PhDManaging Complexity in a World of Surprise David L. Alderson, PhD
Managing Complexity in a World of Surprise David L. Alderson, PhDPacificResearchPlatform
 
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDS
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDSBUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDS
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDSiQHub
 
Critical Infrastructure Protection: Beating the Odds
Critical Infrastructure Protection: Beating the Odds Critical Infrastructure Protection: Beating the Odds
Critical Infrastructure Protection: Beating the Odds IPPAI
 
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETS
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETSSEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETS
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETSS. F. (Sid) Nash
 

Similar to Security From the Ground Up (20)

Next Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric SectorNext Generation Information Sharing for the Electric Sector
Next Generation Information Sharing for the Electric Sector
 
EnergySec and the NESCO overview
EnergySec and the NESCO overviewEnergySec and the NESCO overview
EnergySec and the NESCO overview
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity Requirements
 
EISS Cybersecurity Briefing
EISS Cybersecurity BriefingEISS Cybersecurity Briefing
EISS Cybersecurity Briefing
 
NESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD MeetingNESCO Overview: Emerson Ovation User Group BOD Meeting
NESCO Overview: Emerson Ovation User Group BOD Meeting
 
Emerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD MeetingEmerson Ovation User Group BOD Meeting
Emerson Ovation User Group BOD Meeting
 
Bridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and ITBridging the Gap: Between Operations and IT
Bridging the Gap: Between Operations and IT
 
Don't Get Hacked! Cybersecurity Boot Camp
Don't Get Hacked! Cybersecurity Boot CampDon't Get Hacked! Cybersecurity Boot Camp
Don't Get Hacked! Cybersecurity Boot Camp
 
Interoperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business PerspectiveInteroperability, Standards and Cybersecurity: A Business Perspective
Interoperability, Standards and Cybersecurity: A Business Perspective
 
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo..."How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...
"How Today's Power Grid Implementation Choices Impact Future Smart Grid Deplo...
 
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
 
NESCO Year 2 Overview
NESCO Year 2 OverviewNESCO Year 2 Overview
NESCO Year 2 Overview
 
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
What's "Smart" Got to Do With It?: A technical overview of Advanced Metering ...
 
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by...
 
Sciencewise Energy infrastructure webinar
Sciencewise Energy infrastructure webinarSciencewise Energy infrastructure webinar
Sciencewise Energy infrastructure webinar
 
TAC Subscription Webinar
TAC Subscription WebinarTAC Subscription Webinar
TAC Subscription Webinar
 
Managing Complexity in a World of Surprise David L. Alderson, PhD
Managing Complexity in a World of Surprise David L. Alderson, PhDManaging Complexity in a World of Surprise David L. Alderson, PhD
Managing Complexity in a World of Surprise David L. Alderson, PhD
 
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDS
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDSBUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDS
BUILDING SMART, RESILIENT CYBER-SECURE MICROGRIDS
 
Critical Infrastructure Protection: Beating the Odds
Critical Infrastructure Protection: Beating the Odds Critical Infrastructure Protection: Beating the Odds
Critical Infrastructure Protection: Beating the Odds
 
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETS
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETSSEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETS
SEWERLOCK AND TELECOMLOCK INFRASTRUCTURE ASSETS
 

More from EnergySec

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueEnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
 

More from EnergySec (20)

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Security From the Ground Up

  • 1. Security From the Ground Up Steven Parker May 3 2011 ICSJWG Spring Conference
  • 2. Thesis • Because top down approaches have proven insufficient, and in some cases detrimental, to advancing the security posture of critical infrastructure, bottom up efforts are needed that engage practitioners, equip them with tools and resources, and empower them to take action. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 2
  • 3. Thesis (Tweetable version) • Security depends more on people than policy. #icsjwg #nesco The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 3
  • 4. Me & My Org • My name is Steve • I work for EnergySec • EnergySec is currently working exclusively on a DOE funded project to establish the National Electric Sector Cyber Security Organization (NESCO) The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 4
  • 5. One of My Failures The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 5
  • 6. Things I Know a Little The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 6
  • 7. Things I Know a Little Less • Industrial Control Systems • EMS/DCS • Protective relays • Communications equipment • SCADA The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 7
  • 8. History • 7/2004: EnergySec founded as E-Sec NW • 1/2008: SANS Information Sharing Award • 12/2008: Incorporated as EnergySec • 10/2009: 501(c)(3) nonprofit determination • 4/2010: EnergySec applied for National Electric Sector Cybersecurity Organization (NESCO) FOA • 7/2010: NESCO grant award from DOE • 10/2010: NESCO became operational The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 8
  • 9. What Is The NESCO? The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 9
  • 10. What NESCO Isn’t The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 10
  • 11. Tweetable Quote #1 • The collective smarts of industry peeps is orders of magnitude > any 1 person or org #icsjwg #nesco • The collective intelligence and wisdom of industry practitioners is orders of magnitude larger than any one person or organization. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 11
  • 12. What’s Wrong with Top Down? • “Increasing use of corporate resources for regulation compliance activities reduces the resources available for security enhancements.” • “For example, as a result of the NERC CIP standards, some utilities shifted to less efficient technologies because the cost to comply was greater than the cost to use an older technology. Others spent resources on compliance that were originally intended for additional cybersecurity measures.” • --- • http://www.controlsystemsroadmap.net/pdfs/2011_roadmap_draft.pdf The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 12
  • 13. What’s Wrong with Top Down? • “Organizations have made PCI DSS and compliance in general the basis of their information security policies. They're basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all." • "There are really bad people out there doing bad things and few pay attention to things like state-sponsored attacks and cyber warfare. This is because everyone's focusing on compliance," • http://www.csoonline.com/article/506635/analyst-pci-security-a-devil-like-no-child-left-behind- • Josh Corman Nov 4, 2009 The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 13
  • 14. Tweetable Quote #2 • Regs r like Socialism; Proponents blame failure on poor implementation, not inherent flaws #icsjwg #nesco • Regulation is like Socialism; Proponents blame its failure on poor implementation rather than its inherent flaws The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 14
  • 15. A Tale of Two ESPs • “The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter.” The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 15
  • 16. Tweetable Quote #3 • We can prescribe action, but not attitude, and attitude is the secret sauce of security #icsjwg #nesco The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 16
  • 17. A Ground Up Approach • Engage • Equip • Empower The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 17
  • 18. Engage • NESCO outreach programs – Annual Summit (October 2011, San Diego) – Town Hall Meetings (August, Seattle area) – Voice Of The Industry Meetings (everywhere) – Interest Groups (Workforce Development, Forensics, etc) – Webinars, Briefings – Portal/Forums – Email distribution lists – Social media The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 18
  • 19. Equip • ROS³ES - Repository of Open Source Security Solutions for the Energy Sector – Program supporting the use and development of open, industry specific security solutions • NESCO Academy – Cybersecurity education and workforce development • Share – Case studies, good practices, tactical awareness, etc The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 19
  • 20. Empower • “I'm slowly becoming a convert to the principle that you can't motivate people to do things, you can only demotivate them. The primary job of the manager is not to empower but to remove obstacles.” • -Scott Adams, creator of Dilbert The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 20
  • 21. Tweetable Quote #4 • The secret to securing CIKR is finding the right people and getting out of their way #icsjwg #nesco • The secret to securing critical infrastructure is to identify the people with the requisite knowledge and skills, and then get out of their way. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 21
  • 22. The Physics of Organizations Inertia • Inertia is the resistance of any physical object to a change in its state of motion or rest, or the tendency of an object to resist any change in its motion. It is proportional to an object's mass. • Even positive and needed change is hard The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 22
  • 23. The Physics of Organizations Momentum • Momentum is the product of the mass and velocity of an object. Like velocity, momentum is a vector quantity, possessing a direction as well as a magnitude. • Action in the wrong direction can be worse than no action at all The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 23
  • 24. The Physics of Organizations Gravity • The force that attracts a body toward the center of the earth • The incessant pull of mediocrity. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 24
  • 25. The Power to Change • a force is any influence that causes a free body to undergo a change in speed, a change in direction, or a change in shape. • In the context of organizations and institutions, force comes from people. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 25
  • 26. You CAN Make a Difference • "Never doubt that a small group of thoughtful, committed people can change the world.  Indeed, it's the only thing that ever has."  -Margaret Mead The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 26
  • 27. The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 27