Serving the energy industry for over 30 years
By - Jon Brown

Utility Cyber Security Challenges, Readiness, and Risk Management
Leading Practices in Cloud Migration, Critical Infrastructure Protection, and Insider Threat
September 9-10, 2019 | Washington, DC

Download PDF
 

Overview

The landscape of energy security continues to grow more demanding as the grid evolves into a dynamic, more interconnected place. In order to bring about a fortified Industrial Control System (ICS), utilities need to implement good practices in the areas of data management, risk mitigation, legal protection, and incident preparedness. With these challenges of designing a resilient grid comes a new landscape of NERC standards and regulations as well. With these issues in mind, utilities need to remain up-to-date on the latest trends, best practices, and lessons learned in order to maintain a strong security structure.

In this conference, attendees will receive comprehensive looks at some of the most salient issues on data security specifically for the energy sector. Topics such as: cloud migration, critical infrastructure (BCIS) protection, CIP compliance, crisis response, and more will be discussed by some of the nations’ leading utilities in Washington D.C. Join us to discuss these critical issues where both technical and legal professionals can learn, collaborate, and network together in a cohesive, content-driven environment.

Learning Outcomes

  • Discuss leading trends in next-gen cyber challenges and innovative solutions
  • Survey a landscape of international cyber threat and case study procedures
  • Identify best practices in supply chain risk management
  • IT/OT and Smart Integration security (SCADA, IoT, AMI)
  • Explain new CIP-5 NERC compliance standards and treatment of critical infrastructure
  • Review risk management methodology and assessments
  • Communicate strategies for effective cyber security prioritization
  • Distinguish important information on cyber contracting and litigation
  • Discuss PPP programs and connections like InfraGard, NCCIC, e-ISAC
  • Collaborate on important co-existing problems between IS/IT and legal professionals
  • Highlight cloud migration case-studies and treatment of critical infrastructure information

Credits

AP_Logo

EUCI has been accredited as an Authorized Provider by the International Association for Continuing Education and Training (IACET).  In obtaining this accreditation, EUCI has demonstrated that it  complies with the ANSI/IACET Standard which is recognized internationally as a standard of good practice. As a result of their Authorized Provider status, EUCI is authorized to offer IACET CEUs for its programs that qualify under the ANSI/IACET Standard.

EUCI is authorized by IACET to offer 1.0 CEUs for this event and 0.3 CEUs for the workshop.

 

Requirements for Successful Completion of Program

Participants must sign in/out each day, be in attendance for the entirety of the course

Instructional Methods

Power Point presentations and open discussion will be used

Agenda

Monday, September 9, 2019

12:30 – 1:00 p.m. :: Conference Registration

1:00 – 1:15 p.m. :: Opening Remarks


1:15 – 2:45 p.m. :: KEYNOTE PANEL: Protecting Critical Infrastructure and Next-Gen Cyber Issues

The electric utility industry is evolving rapidly. Distributed resources, the rise of the Internet of Things and increasing engagement with the consumer bring many advantages but also increase responsibilities to anticipate new and more numerous cyber-attack surfaces and protect large volumes of sensitive data. This expert panel will share ideas on how to bolster grid resiliency and develop effective risk mitigation strategies.

Moderator:

Laura Schepis, Sr. Director, National Security, EEI

Panelists:

Fred Bonewell, Chief Security, Safety, and Gas Officer, CPS Energy

Daniel Mishra, Director of CIP Compliance, JEA

Chris Cummiskey, President, Cummiskey Consulting & former DHS Undersecretary and Arizona Senator

2:45 – 3:15 p.m. :: Networking Break


3:15 – 4:00 p.m. :: Keynote Address

Bill Ryan, Region III Director, CISA


4:00 – 5:00 p.m. :: The Cyber Threat Landscape Facing Electric Operations

Electric sector asset owners and operators regularly see headlines on potential cyber-nexus attacks on utilities and related infrastructure, but seldom does such sensational reporting add context and mitigation to vague stories of intrusions. Instead of latching on to discrete end-stage events, grid operators must instead view the cyber threat landscape as representing a continuum of risks running from inadvertent ransomware infection through dedicated, deliberate operations designed to disrupt. Based on this extended view, organizations can begin grasping the entirety of the network-focused risk landscape and begin identifying potential defenses and mitigation techniques. Attendees of this talk will leave with the following insights and knowledge:

  • An overview of recent intrusions and threats to the electric sector
  • In-depth analysis of specific intrusion and disruption risks to electric utility operations
  • Resilient and flexible defensive strategies to reduce risk and ensure organizational resiliency

Joe Slowik, Adversary Hunter, Dragos


Tuesday, September 10, 2019

8:00 – 8:30 a.m. :: Continental Breakfast

8:30 – 8:45 a.m. :: Opening Remarks


8:45 – 9:30 a.m. :: Insider Threat & Industry Security

Across all industries and government, insider threats can equal or exceed external threats both in number and impact. The APS Insider Threat Program is a partnership of Corporate Security, Human Resources, Cybersecurity and Legal resources to timely and discreetly identify, investigate and adjudicate all potential physical, cyber and financial threats by employees or badged contractors, in coordination with other business units as deemed appropriate.  These threats include, but are not necessarily limited to, workplace violence and sexual misconduct, theft, fraud, embezzlement, bribery, vendor kickbacks, data exfiltration and network/system sabotage. Insider Threat awareness and training is regularly provided to the workforce, with special messaging towards leadership at all levels, including emphasis on timely reporting, confidentiality and no tolerance for retaliation against witnesses and victims.

Michael Anderson, General Manager of Enterprise Security, Arizona Public Service


9:30 – 10:30 a.m. :: Electric Sector Leadership on Critical Security Challenges 

Across the investor-owned, cooperative and public power segments of the industry, EEI is focusing through the ESCC on supply chain, grid security emergency orders, and ongoing deficiencies in information-sharing. As the ESCC evolves and strengthens its capabilities, EEI is presenting very clear information and requests to government partners aimed at identifying and removing barriers to improved security.  EEI is also supporting an ongoing effort to build up partnerships with the telecommunications, finance, oil & natural gas, water and transportation sectors.   

Laura Schepis, Sr. Director, National Security, EEI

10:30 — 11:00 a.m. :: Networking Break


11:00 a.m. — 12:00 p.m. :: PANEL: Risk and Threat Assessment Methodology and Benchmarking Criteria

Cyber-attacks threaten the grid thousands of times every day, causing utilities to set up appropriate risk mitigation initiatives.

In order to effectively prioritize, utilities need to accurately evaluate criteria for threat vectors, control options, and trade-offs. This panel will discuss different approaches to threat methodology, risk management, and cyber-readiness.

Moderator:

Peter Morin, Cybersecurity and Privacy Consulting, PwC

Panelists:

Charles Salas, Manager of Realtime Systems Security Engineering, Exelon

Michael Anderson, GM of Enterprise Security, APS

12:00 – 1:00 p.m. :: Group Luncheon


1:00  – 1:45 p.m. :: Risk Profiling and Nuances of ICS/OT

Utilities require comprehensive procedures for identifying threat and appropriately prioritizing its security. This presentation will cover details of the ICS/OT risk profiling process.

Charles Salas, Manager of Realtime Systems Security Engineering, Exelon


1:45 – 2:30 p.m. :: Enterprise Reliability Risk Management

The energy industry experiences thousands of attacks on the grid every day with the risk of unsuccessfully missing one being catastrophic. For this reason, it is imperative that utilities set up clear models of reliability, quality, and risk management. What are the requirements of a sufficient cyber-protection system and how do we define the goals of ERM.

  • Discover differences between ERM & compliance management
  • Consider variables in top down vs. bottom up security management
  • Discuss issues with using risk matrices for ERM

Michael DeLoach, Executive Director, Risk Transformation Office, RSA Security

2:30 – 3:00 p.m. :: Networking Break


3:00 – 3:45 p.m. :: Promoting Reliable Methods for Prioritizing Security and Communicating Risk to Corporate Leaders

Technology is rapidly evolving at a rate that is difficult to manage for the energy industry. Increasing numbers of IoT, DERs, and Smart Grid applications cause there to be an increasing tension between technology and security. One significant issue for IT/IS professionals is being able to effectively communicate these risks to company leaders in a way that effectively prioritizes a resilient grid. This session will explore techniques for handling risk appropriately within the utility and handling new technology in an effective and safe way.

  • Risk communication and security prioritization
  • Next generation cyber issues
  • Appropriately managing security protocol and threat

Chris Cummiskey, President, Cummiskey Strategic Solutions


3:45 – 5:00 p.m. :: FEDERAL PANEL: Government Regulation and Public Private Partnerships (PPP)

The federal government involves a handful of agencies in the process of cyber-threat prevention and after breach has occurred. This panel will consist of agency representatives discussing federal roles, programs, and advice on regulations like CIP.

Moderator:

Paul Tio, Partner, Hunton Andrews Kurth

Panelists:

Matthew Wombacher, National Infrastructure Coordinating Director, US DHS

Janna White, Supervisory Special Agent, FBI

Allie Schott, Management and Program Analyst, FBI Cyber Division

Workshop

Fundamentals of ICS Threat & Cyber Resilience

Monday, September 9, 2019

8:00 – 8:30 a.m. :: Workshop Registration and Continental Breakfast

8:30 – 11:30 a.m. :: Workshop Timing

Overview

Like other parts of critical infrastructure, utilities face advancing cyber security threats to their corporate and field environments.  Regulators have mandated in their jurisdictions that these threats be addressed ultimately through compliance with cyber security requirements.  However, because of the complex nature of control systems, utility cyber security programs face much greater challenges in providing needed cyber security controls.  Further complicating the situation are newer digital components, virtual computing, and cloud technologies being implemented that are challenging many preconceived notions of how technology is used in power generation and delivery. 

As the options for access and control become more complicated, cyber security becomes more important to the overall safety of the environment.  Threats are rapidly evolving, and the industry is struggling to balance asset availability with cyber security to keep malicious actors at bay.  Regulators continue to refine their guidance, and the industry is racing to keep up.  Notwithstanding growing questions and concerns from Utility Boards of Directors over cyber security, each audit of compliance requirements yields new insight into regulator concerns over cyber security in the energy industry. 

This workshop is an in-depth introduction to cyber security issues facing utilities today.  It is meant as a primer to give the necessary background for all staff to understand the concepts and complexities of cyber security and compliance with regulatory standards.

Learning Outcomes/Agenda

  • Discuss current value at risk from cyber security threats facing electric utilities
  • Analyze cyber threats and vulnerabilities
  • Discuss cyber security compliance, key implementation strategies, and current events
  • Review practical on-premise and cloud techniques for risk management and data protection
  • Articulate holistic cyber security program strategies focused on prevention

Instructor:

Robert Schuler, CISSP, Manager, Cyber Security Strategy, Accenture Security

Mr. Schuler is a cyber security strategy manager and technical thought leader with 19 years of cyber security risk management and systems security engineering experience across multiple industries.  Over this period, he has become a recognized expert in both North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) and Nuclear Energy Institute (NEI) cyber security guidance for utility control systems. 

Mr. Schuler’s industry outreach activities have included frequent speaking engagements delivering control system cyber security courses and speaking on industry panels, where his technical knowledge and interactive style is helping key industry participants reach a shared understanding of cyber security threats, compliance standards, and how to build secure, best-practice architectures while meeting compliance objectives.

He recently led a CIP Version 5 program development project at a large utility, which was focused on guidance of the subject matter expert teams toward shared agreement, facilitating process refinement and development, and aligning organizational culture with program expectations. 

He advises government and private sector organizations on high-performing cyber security architectures in critical or control system environments.  He also counsels industry regulators regarding compliance requirements and builds consensus on suggested improvements to address following the intent of a particular requirement.

Speakers

Michael Anderson, General Manager of Enterprise Security, Arizona Public Service

Fred Bonewell, Chief Security, Safety, and Gas Officer, CPS Energy

Chris Cummiskey, President, Cummiskey Consulting & former DHS Undersecretary and Arizona Senator

Michael DeLoach, Executive Director, Risk Transformation Office, RSA Security

Daniel Mishra, Director of CIP Compliance, JEA

Peter Morin, Cybersecurity and Privacy Consulting, PwC

Bill Ryan, Region III Director, CISA

Charles Salas, Manager of Realtime Systems Security Engineering, Exelon

Laura Schepis, Sr. Director, National Security, EEI

Allie Schott, Management and Program Analyst, FBI Cyber Division

Laura Schepis, Sr. Director, National Security, EEI

Joe Slowik, Adversary Hunter, Dragos

Paul Tio, Partner, Hunton Andrews Kurth

Janna White, Supervisory Special Agent, FBI

Matthew Wombacher, National Infrastructure Coordinating Director, US DHS

Location

 

Hyatt Regency Fairfax

12777 Fair Lakes Cir

Fairfax, VA 22033

Reserve your room:

please call 1-703-818-1234

Room Block Reserved For:

Nights of September 8 – 9, 2019

Room rate through EUCI:

$139.00 single or double plus applicable taxes
Make your reservations prior to August 8, 2019.

Register

Please Note: Confirmed speakers do not need to register and are encouraged to participate in all sessions of the event. If you are a speaker and have any questions please contact our offices at 1.303.770.8800

EventEarly Bird Before
Friday, August 23, 2019
Standard RateAttendees
Utility Cyber Security Challenges, Readiness, and Risk ManagementUS $ 1295.00 US $ 1495.00

This event has the following workshops:

Fundamentals of ICS Threat & Cyber ResilienceUS $ 495.00
US $ 595.00

*Please note: all attendees of the conference will receive a link to downlaod all presentations that are made available by the presenters. If you cannot attend the conference but would still like a copy of these materials, please consider purchasing the proceedings package listed below

I cannot attend but would like a copy of the proceedings

Proceedings package US $ 395.00

Take advantage of these discounts!

  • Attend the Conference and workshop and pay US $ 1,695.00 per attendee (save US $ 95.00 each)

Register 3 Send 4th Free!

Any organization wishing to send multiple attendees to these conferences may send 1 FREE for every 3 delegates registered. Please note that all registrations must be made at the same time to qualify.

Cancellation Policy

Your registration may be transferred to a member of your organization up to 24 hours in advance of the event. Cancellations must be received on or before August 09, 2019 in order to be refunded and will be subject to a US $195.00 processing fee per registrant. No refunds will be made after this date. Cancellations received after this date will create a credit of the tuition (less processing fee) good toward any other EUCI event. This credit will be good for six months from the cancellation date. In the event of non-attendance, all registration fees will be forfeited. In case of conference cancellation, EUCIs liability is limited to refund of the event registration fee only. For more information regarding administrative policies, such as complaints and refunds, please contact our offices at 303-770-8800

By clicking Accept or closing this message, you consent to our cookies on this device in accordance with our cookie policy unless you have disabled them. more information

By clicking Accept or closing this message, you consent to our cookies on this device in accordance with our cookie policy unless you have disabled them. You can change your cookie settings at any time but parts of our site will not function correctly without them. We use cookies during the registration process and to remember member settings.

Close