WIXLIB

August 28, 2014ABB Power GenerationCyber Security Users Group ABB GroupAugust 28, 2014 Slide 1

Registration Peer Group Survey ABB GroupAugust 28, 2014 Slide 2

ABB GroupAugust 28, 2014 Slide 3

Registration Peer Group Survey ABB GroupAugust 28, 2014 Slide 4

August 28, 2014ABB Power GenerationCyber Security Users Group ABB GroupAugust 28, 2014 Slide 5

ABB Power Generation Cyber Security Users GroupAgenda ABB GroupAugust 28, 2014 Slide 6 Introductions Cyber Security Users Group Overview ICS Cyber Security Intelligence Briefing - Bob Huber, CEO, Critical Intelligence What you need to know about NERC CIP, Joe Baxter, NERC CIP Lead , ABB ABB DCS Security Best Practices - John Brajkovich, Team Leader, Remote EnabledService, ABB Audience Q&A - Any security topic of interest Response Polling Conclude Pop-Up Response Survey ( 5-minutes of your time)

Today’s Expert Panel Mike Radigan, Senior Advisor, Cyber Risk Management, ABB PSPG joseph.baxter@us.abb.comJohn Brajkovich, Sr. Engineer & Team Lead, ABB PA Remote Enabled Services ABB GroupAugust 28, 2014 Slide 7robert.huber@critical-intelligence.com (208) 965-2114Joseph “Joe” Baxter, NERC CIP Lead, ABB HV/DC (614) 398-6241Robert “Bob” Huber, CEO, Critical Intelligence Mike.Radigan@us.abb.comjohn.brajkovich@us.abb.com

Join the ABB DCS Users GroupShare, exchange, and connect with your peers! Website: www.adcsug.com Users of ABB control system products and servicesindustries. with industry peers, measurablyTop 5 reasons to join the group: Forum to: share experiences, learn and collaborateinfluence and improve ABB control products and servicesin the power and waterNetworking: true peer-to-peer forumsImprovement suggestions: day-to-day challenges discussed and ideas exchangedNews: related articles and information from the industryEvents calendar: stay connected with users and ABB Power GenerationPolls / surveys: express your opinion and make your voice heard“The value of a users group, and that in particular of ABB DCS Users Group, is that as a group we have more access andleverage to change and improve the product than as individuals acting alone. It also allows us to participate in discussions thatbring the best ideas forward and facilitates sharing information that helps everyone.” - Bill Ossman, ABB DCS Users Group STECO member ABB Inc.August 28, 2014 Slide 8

ABB Cyber Security User Group Special Interest Groups (SIG) within the ABB DCS Users Group Customer Co-Chairs (3-4 desired for each) Cyber Security SIG Quarterly GoToWebinar Sessions NERC CIP v5 SIG GoToWebinar Sessions ABB GroupAugust 28, 2014 Slide 9August 28th, November 20th “Next Steps for Low Impact Asset Owners”Sept 25th, October 23rd , January 22nd

NERC CIP v5 SIGThree (3) Part Series on NERC CIP v5 for Power Generation Part I: BES Cyber System Asset Categorization - Approaches to CIP-002-5.1 R1 (Sept 25th) Part II: BES Cyber System Asset Grouping (Oct 23rd) Part III: Low Assets and Future CIP Versions (Nov 20th) Registration is now open for Part I on September 25th ABB GroupAugust 28, 2014 Slide eaturing NERC CIP v5 Expert Panel Tim Conway, Chair of NERC CIP Interpretation Drafting Team Joe Doetzl, FERC Order 706 Drafting Team, Former NERC compliance consulttant Joe Baxter, Former NERC CIP auditor in SERC region

ABB Power Generation Cyber Security Users GroupAgenda ABB GroupAugust 28, 2014 Slide 11 Introductions Cyber Security Users Group Overview ICS Cyber Security Intelligence Briefing - Bob Huber, CEO, Critical Intelligence What you need to know about NERC CIP, Joe Baxter, NERC CIP Lead , ABB ABB DCS Security Best Practices - John Brajkovich, Team Leader, Remote EnabledService, ABB Audience Q&A - Any security topic of interest Response Polling Conclude Pop-Up Response Survey ( 5-minutes of your time)

Security WorkplaceReliability – Security – ComplianceSecurity Baseline RequirementsMAINTAINDEFENDCOMPLY ServiceGrid support contract Automated backup & recovery ServiceGrid Cyber Security Patch delivery System hardening Managed anti-virus deployment Managed Microsoft patching deployment 00 Proactive Security Measures Electronic perimeter protection* Security event management* ICS asset management* Configuration change management*NERC CIP Compliance Automated data collection* Automated compliance reporting* Policy management**Available for Fleet-Wide and Multi-Vendor Control Systems**Active ServiceGrid contract required Included ABB Inc.August 28, 2014 Slide 120 Available as an option

ABB GroupAugust 28, 2014 Slide 13

ICS Cyber SecurityIntelligenceBriefing for theElectric Sector!!Robert Huber!bob@critical-intelligence.com!

Importance of theElectric Sector! Electric sectors supports allother 17 critical infrastructureand key resource sectors (CIKRs)! High value target (HVT) foractivists, hacktivists, terroristsand nation states!

ICS 0!10!0!Public ICS-Specific Vulnerabilitiesby Quarter!

ICS Exploits ByQuarter!Total Exploit Modules by Quarter!90!80!70!60!50!40!30!20!10!0!

ICS CyberSecurityPresentations!Number of ICS Cyber SecurityPresentations Per 006!2007!2008!2009!2010!2011!2012!2013!2014!

ICS Attack Tools!

Anyone noticing atrend here?!

Threats!Nation state actors (generally)!– China!– Russia!– Iran!Generally targeted attacks viaspearphish and watering holes!

SpearphishingResearch!Critical Intelligence partnered with DigitalBond and PhishMe to test response rates fromtargeted personnel in the energy industry! 40 targets were identified in each firm!over 25% clicked on our targeted email!–Means we likely could have compromised their systems!!Job titles of those that clicked our link:! Control System Supervisor!Automation Technician !Equipment Diagnostics Lead!Instrument Technician!Senior VP of Operations and Maintenance!

Recent AttackHighlights! Energetic Bear/Crouching Yeti – Havex Malware!Night Dragon Campaign – energy!Gas Pipeline Campaign – Numerous electric utilities!ShadyRAT Campaign – energy!Hidden Lynx Campaign - energy!Mandiant’s APT 1 Report on China - Energy!EnergySec/NESCO!Iran Hackers Accused of Targeting US Energy Firms!– “The latest campaign has targeted the control systems that runthe operations of oil and gas as well as power companies ”!“A report published in may by U.S. Reps. Ed Markey (DMass.) and Henry A. Waxman (D-Calif.) showed that powercompanies were targeted at an alarming rate ”!DHS ICS-CERT reports that 59% of Incidents responded towere energy sector!

ricandONGSectorsSeptember16- conference.html

Air Gap Myth?!Read #1 ICS and SCADA Security Myth: Protection byAir adasecurity-myth-protection-air-gap!!Protected by 4-20mA loop networks? Don’tthink so.!HRTShield is a toolset for exploiting HARTnetworks and was created by Russianresearcher, Alexander Bolshev!!!!"None of the vulnerabilities [uncovered at theNESCOR summit] pose as great a risk as thebelief that your system is isolated."!– Chris Blask, CEO, ICS Cybersecurity Inc.!

EBO! Effects-based operations – attack toachieve a specific effect!– Take out power! Shoot up a substation!Drop a graphite bomb (Iraq)!Mylar balloon!Cyber Attack (Easiest to prepare, easier thanphysical, execution cost is low)! The lowest cost for any adversary toachieve a specific effect in the electricsector is via cyber means!– No physical access required!– Easy to use tools and techniques are freely andreadily available!

August 28, 2014Compliance and SecurityPick Any Two ABB GroupAugust 28, 2014 Slide 1

ABB Cyber Security User GroupQuick Background – Joseph Baxter JosephBaxter – NERC CIP Lead / ABB HVDC and FACTS CGEIT,CISSP, CISA, CISM, MCSE S, MCDBA, EIEIO Previous ABB GroupAugust 28, 2014 Slide 2Experience: Audit Team Lead / CIP Auditor for SERC Region of NERC. Participatedin many Joint Audits with RFC, MRO, and WECC / Audited the BAfunction of SPP Over 20 Years of IT, 15 dedicated to Cyber Security beginning in theFinancial Sector Joined the Utility Sector in 2008, built a CIP Program from scratch for alarge multi-state entity

ABB Cyber Security User GroupCyber Security is Not Compliance ManyCompliance “Solutions” are nothing morethan retreads of Security Monitoring Packages ManyCompliance “Solutions” do nothing morethan function as “Self-Report Creation Engines” SecurityConcepts do not always map directly toCompliance Concepts CyberSecurity never pays for itself in detectablevalue, however, Compliance does in real ways ABB GroupAugust 28, 2014 Slide 3

ABB Cyber Security User GroupThe Four T’s of Risk Tolerate– “The cost of mitigation outweighs the benefit” (Not much use inthe Standards currently) Transfer– “I pay someone else to ownthe risk” (Life Insurance, etc.) Terminate– “I can live without it”(Simpler to just go without) Treat ABB GroupAugust 28, 2014 Slide 4– “I will do what I must to fix it”(Things I cannot do without)

ABB Cyber Security User GroupSelecting What’s Important Before:BESLowsMediumsRBAM – Risk BasedAssessment Methodology (CIPv.1 to v.3) Now:BLC – Bright Light Criteria(CIP. v5) IntroducesConcepts of High,Medium, and Low Impact LevelsHighs ABB GroupAugust 28, 2014 Slide 5 Stilla “deductive” process usedfor selection in CIP-002-5.1

ABB Cyber Security User GroupThe Many Paths to Medium AggregateGeneration of 1500 MW inthe preceding 12 Calendar Months Reactivelocations with 1000 MVARs Generationthe PC or TP designates AnyTransmission operated at 500 kV AnyTransmission with enough points Generation Transmission ABB GroupAugust 28, 2014 Slide 6critical to IROLfor Nuclear Interfaces

ABB Cyber Security User GroupThe High’s of Lows CIP-003-5 CyberR2 (points to CIP-002-5.1 R1.3)Security Awareness PhysicalSecurity Controls ElectronicAccess Controls External Dial-up Cyber No ABB GroupAugust 28, 2014 Slide 7RoutableConnectivitySecurity Incident ResponseList Needed

ABB GroupAugust 28, 2014 Slide 8

ABB Power GenerationReducing Your Attack SurfaceSystem HardeningJohn BrajkovichRES - Team Lead ABB Inc.

Reducing Your Attack SurfaceAgenda DefenseIn Depth Principles Hardening Patchand Policy ImplementationManagement Provided ABB GroupAugust 28, 2014 Slide 2of Cyber SecurityServices

Reducing Your Attack SurfaceDefense In Depth The principle of Defense in Depth is a concept that creates detectionmeasures that are both independent and redundant.Layers of Cyber SecurityFirewallPatch ManagementAntivirusGroup Security PoliciesSystem HardeningUser RolesAccess Controls ABB Inc.August 28, 2014 Slide 3

Reducing Your Attack SurfacePrinciples of Cyber Security Principle of Least Privilege Principle of Least Function ABB Inc.August 28, 2014 Slide 4No user should have more rights andpermissions than needed to perform hisfunction in the systemOnly the functions needed for the system toaccomplish its purpose should be present orenabled in the system

Reducing Your Attack SurfaceSystem Hardening and Policy ImplementationUser Roles, Access Control and Workstation Hardening Enforce Domain wide policies Establish hierarchy of User Accounts Restriction of Operator Policies Hardening ports and services Close un-necessary ports Disable non-essential servicesDisabling/Locking of Removable Media ABB Inc.August 28, 2014 Slide 5

Reducing Your Attack SurfaceSystem Hardening and Policy Implementation ABB Inc.August 28, 2014 Slide 6Schedule appropriate time for implementation No operational impact, but always be cautious Operating system obsolete? Software upgrade required? Regularly scheduled implementationImplement changes on site Configure with firewall and other mechanisms Majority of changes in group policies Test all changes in the operating environment

Reducing Your Attack SurfacePatch Management Patch management is arguably the mostimportant cyber security control today Vendor should approve patches beforeinstallation. Systems should be audited at update interval toinsure they are up to date and no unapprovedpatches are installed. Centralized patch management is preferred forauditing and speed. Reasons for Patching? ABB Inc.August 28, 2014 Slide 7