8th Annual Summit

Tuesday, September 25th, 2012

Plenary Sessions

Welcome Address

Patrick Miller, CEO, EnergySec

Wednesday, September 26th, 2012

Plenary Sessions

Opening Keynote

Richard Clarke, Chairman, Good Harbor Security Risk Management

Cyber risks to the electric power industry have become increasingly significant in recent years and will continue to grow with the adoption of new networked technologies. As a result, the electric industry faces increasing oversight and scrutiny from regulators, legislators, executive government agencies, insurers, and others. Because of the severe financial, legal, operational, and reputational consequences cyber risks pose, responsibility for managing these risks must reside with senior corporate executives. In his keynote, Richard Clarke will discuss how electric power executives can manage these risks through improvements in internal governance, application security development processes, vendor risk management, and crisis preparedness.

Make Your Employees Mal-AWARE: Implementing a Scalable Behavior Modification Program

Rohyt Belani, CEO, PhishMe

Cyber crime and electronic espionage, most commonly, initiate with an employee clicking a link to a website hosting malware, opening a file attached to an email and laden with malware, or just simply giving up corporate credentials when solicited via phishing websites. Phishing has been used to hijack online brokerage accounts to aid pump n’ dump stock scams, compromise government networks, sabotage defense contracts, steal proprietary information on oil contracts worth billions, and break into the world’s largest technology companies to compromise their intellectual property. Technical controls presented as silver bullets provide false hope and a false sense of security to employees, promoting dangerous behaviors. This continued threat makes it more important than ever for companies to provide an effective security awareness program to users on their networks. During this talk, I will present the techniques used by attackers to execute these attacks, and real-world cases that my team have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS. It’s about more than awareness training, it’s about modifying employee perception of phishing emails and the responses to these types of attacks.

Policy Track

Regulation, CIP is Only the Beginning

Prudence Parks, Dir. of Government Affairs & Legislative Counsel, UTC

The availability of spectrum for utility communications networks, heightened consumer protection and privacy concerns, cloud computing and its application to the smart grid, supply chain security – these are just some of the policy and regulatory issues that could have a significant impact on utilities as they integrate millions of data points for more efficient control of the modernized grid.  Attention has been focused on compliance with NERC-CIP mandates and passing audits, but what is their place in the broader security picture?  Will other policy developments change the landscape of grid security?

NERC CIP Access Monitoring: What Constitutes a Shared Account?

Spencer Wilcox, Special Assistant to the VP of Corporate and Information Security Services and Lead Security Strategist,  Excelon

NERC CIP standards 003-007 define access and shared accounts. What constitutes a shared account? Does your IAM account for all personnel with access to your UNIX and Windows systems? This presentation will explore the intricacies of access, and help you to better document your access and account management evidence leading up to your next audit.

ES-C2M2 Case Study

Benjamin, Beberness, CIO, Snohomish PUD

John Fry, Subject Matter Expert Support, ICF International Cyber Security Solutions

The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), which allows electric utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments to improve cybersecurity, combines elements from existing cybersecurity efforts into a common tool that can be used consistently across the industry. The ES-C2M2 was developed as part of a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security (DHS) and involved close collaboration with industry, other Federal agencies, and other stakeholders. This presentation covers a real world  “case study” of how this ES-C2M2 work can easily be adapted to improve cyber security at your organization.

Behind the Curtain: The Challenge As Seen Through The Eyes of a CIP Auditor

Josh Axelrod, Senior Manager int eh Advisory Services, Ernst & Young – Moderator

Matt Stryker, Manager of CIP Compliance Monitoring, SERC

Brent Castegnetto, Manager, Cyber Security Audit Team, WECC

Darren Nielsen, Cyber Security Compliance Auditor, WECC

This panel of current NERC CIP Auditors will share their perspectives about the various challenges entities are facing with regard to demonstrating compliance. The moderator will be asking tough questions about the consistency of approaches amongst the Regional Entities, the impact of Compliance Application Notices on the audit process, and their thoughts on the maturation of Technical Feasible Exceptions.

Grass Roots Compliance: How Communities Improve Compliance

Lisa Carrington, Director of Government Affairs, EnergySec – Moderator

Matt Jastram, Chair, Western Interconnection Compliance Forum

Josh Sandler, North American Generator Forum

Often the most powerful and successful efforts start with a few people coming together to solve a problem. In the past 5 years a number of “compliance communities” have sprung up across North America. Panelists give their individual takes on how they are using these communities to keep up on current industry-specific security regulatory developments and how they are sharing this information with the forums they represent. The panel will discuss the challenges of providing relevant information to their constituencies, communication strategies, community-driven solutions and the power of group dynamics as it relates to addressing security regulation as well as their thoughts on the importance of participating in community-based programs.

Privacy Fact & Fiction: What You Really Need to Know

Gal Shpantzer, Senior Security Advisor, EnergySec – Moderator

Chris Villarreal, Senior Regulatory Analyst, California Public Utilities Commission

Sarah Cortes, MS, PMP, CISA

Chris Shepherd, President and Owner, ICCT

Lee Tein, Senior Staff Attorney, Electronic Frontier Foundation

There is a tremendous amount of public concern about the privacy of the data being collected and used as part of the national Smart Grid push. This panel will explore the importance of privacy matters with respect to Smart Grid efforts. The moderator will be asking questions about government’s role in protecting consumer privacy, to what extent is personal data being exposed, and what smart grid implementers should consider with regard to the protection of personal data.

Regulation and Policy Round Table

Patrick Miller, President and CEO, EnergySec

Those things that have the greatest impact on compliance are very often the things we have the least control over. This discussion takes a look at currently evolving policy, regulation and trends to considers their impact on the various cyber security efforts currently underway in the industry. The format of this discussion is roundtable which means everyone is encouraged to participate and offer your own thoughts and insights about you are seeing in your own company.

Technical Track

Detecting Malware Without Anti-Virus

Jeff Bryner, Principal, P0wn Labs

When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures. If a company thinks they may be compromised but there is no AV signature, then what? What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew. What if we could integrate these together into a system for centrally issuing indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out… What if we could integrate these together into a system for centrally issuing. indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out…

Substation Remote Access –  Entergy Style

Chris Sistrunk, Sr. Engineer, T&D Technical Services Dept at the Energy Delivery Headquarters, Entergy

Increasing cyber threats and changing NERC/CIP standards have caused Entergy to design and implement a new system for substation remote access.  This system provides the access that engineers and technicians need, utilizes security best practices, leverages existing equipment, and is poised for future expansion and technologies.

Identifying and Managing Network Zones in CIP-005

Edmond Rogers, Smart Grid Cyber Security Engineer, Information Trust Institute, University of Illinois

Urbana Champaign – Identifying and managing network zones for CIP compliance can require long hours of effort in review of visio diagrams. The presentation will provide an overview of the issues that administrators face when dealing with the challenges of providing for documentation that can be flexible and meet both operational and compliance needs in regards to identifying and managing network zones within a critical infrastructure network. The presentation will close with an overview of Network Access Policy Tool (NetAPT). NetAPT is designed to provide for automated documentation of network trust zones.

Keys to a More Successful Security Program

Joachim Gloschat, Physical Security Specialist, ICCT

An effective security program is a living thing.  It is comprised of a myriad of equipment, actions, policies, and procedures all of which interconnect and rely on each other in order to provide a comprehensive and effective program. The collection of documents, together forming the security program, must be, by design and intent, focused on three primary missions: remedial measures, preventative measures, and, overlapping both of these, education.  The security plan must accurately describe situations both present and future; capture potential scenarios and consequences; detail the organization’s actions both during and following specific events; and, educate the organization on the specific roles specific groups play. Joachim Gloschat’s presentation will address all this and more as he explores what makes a successful physical program security.

“All My Exes”  – A view of the industry from those who have left

Brandon Dunlap, Chief Marketing Officer, EnergySec – Moderator

Dave Lewis, Senior Information Security Analyst, AMD

James Arlen, Senior Consultant, Taos

Lisa Tawfall, CIRT Analyst, Bechtel

Don MacVittie, Technical Marketing Manager, F5 Networks

Each person on this panel has recently left a security related job in the energy sector. This panel will discuss their various reasons for leaving, what Industrial Control System security issues they believe should be on the top of everyone’s list, and their unique perspective on the security compliance programs that are currently in place in the industry or on the horizon.

Best Practices on Managing Ports and Services

Jacob Kitchel, Sr. Manager of Security and Compliance, Industrial Defender

Copy and paste netstat into and Excel spreadsheet – DONE! Save nmap output into a spreadsheet – DONE! Copy a vendor’s ports list into a spreadsheet – DONE! Our industry’s fascination with managing compliance data by taking default tool output and throwing it into Excel spreadsheets is widely known. This presentation on managing ports and services will finally provide you with the desire to pry those spreadsheets from your hands in exchange for a more robust, accurate, and sustainable solution. We will cover methods to support security and compliance while at the same time increasing accuracy, reliability, and insight into ports and services through the use of automation, change control, and visibility.

Thursday, September 27th, 2012

Plenary Sessions

Steve Parker, VP Technical Research, EnergySec and NESCO

Winston Churchill once said, “Attitude is a little thing that makes a big difference.” Indeed, when it comes to security, fostering the right attitude is essential. But can attitude be mandated? Or must it be carefully cultivated and encouraged? This presentation will discuss the limitations of regulatory approaches to security, and explore what is really needed to secure our critical energy infrastructure.

The Power of Community

Deb Bryant, Principal, Deb Bryant and Associates

Increasing complexity and ever presence demand on cyber/information security is placing greater pressure on managing and remediating those risks.  With the rise of the SmartGrid,  a networked world has broad implications for security.   Networking the solution – not in technical terms but in human and organizational terms – may provide the best approach to flanking the speed of the challenge.  Easier said than done, but the model for developing open source software might work, so says a recent study.

A recently completed study underwritten by EnergySec and conducted by Oregon State University suggests the Energy industry is beginning to follow others including open source software in their solution set and, perhaps most significantly, adopting the model itself to develop tools and applications within their own community.

In her talk Deborah Bryant, international open source expert and Principal Investigator for the study will share perspectives from a range of energy industry stakeholders, discuss early adopters and innovators, and explore some other public sector examples of organizations using an open source approach to solving some of their most challenging problems.

Policy Track

The View From Here: A State Regulator’s Perspective

Patrick Miller, President and CEO, EnergySec – Moderator

Christopher Villarreal, Senior Regulatory Analyst, California Public Utility Commission

Commissioner John Savage, Oregon Public Utility Commission

Thom Pearce, Senior Utility Specialist, Public Utilities Commission of Ohio

Alan Rivaldo, Cyber Security Analyst, Public Utility Commission of Texas

The State Regulatory role is highly influential, setting policy direction at the state, regional and national levels. Many state Commissions are becoming more interested in cybersecurity and posing challenging questions to their covered utilities. A dynamic moderator and a panel consisting of staff and Commissioners from four states across the country will discuss topics such as grid modernization, emergency response, FERC’s reach into distribution, and rate recovery.

Technical Track

The Stories We Could Tell: Lessons Learned From The Field

Slade Griffin, Enernex

“I belong to the warrior in whom the old ways have joined the new.”  As two-way communications become more widespread in control systems, the old begins to blend with the new in security research, vulnerability assessments, and penetration tests. Slade’s presentation will be a brief recap, and interactive discussion, of the past two years testing industrial control systems, smart grid equipment, and emerging technologies. This will include real-life examples of vulnerabilities discovered, compliance gaps, and mitigations applied as utilities and vendors work together to apply security best practices in their environments.

Plenary Session

Seán McGurk

Critical Infrastructure Protection is at the forefront of the public and private sectors. With the interdependencies of the national critical infrastructure sectors on the electric sector many entities are focusing on risk mitigation to prevent a cascading event. Subsequently industry leaders are addressing challenges in policy, technology and procedures to reduce risk and provide a secure operational environment.  As the threat landscape develops so must the capabilities of solution providers in order to counter the malicious activity. In his keynote address, Seán McGurk will discuss how technology is evolving with the use of intelligence reporting in order to enhance security to reduce risk for power company operations.