Utility Cyber Security Challenges, Readiness, and Risk Management

Leading Practices in Cloud Migration, Critical Infrastructure Protection, and Insider Threat

September 9-10, 2019 | Washington,DC ::

0919-grid-resiliency

The landscape of energy security continues to grow more demanding as the grid evolves into a dynamic, more interconnected place. In order to bring about a fortified Industrial Control System (ICS), utilities need to implement good practices in the areas of data management, risk mitigation, legal protection, and incident preparedness. With these challenges of designing a resilient grid comes a new landscape of NERC standards and regulations as well. With these issues in mind, utilities need to remain up-to-date on the latest trends, best practices, and lessons learned in order to maintain a strong security structure.

In this conference, attendees will receive comprehensive looks at some of the most salient issues on data security specifically for the energy sector. Topics such as: cloud migration, critical infrastructure (BCIS) protection, CIP compliance, crisis response, and more will be discussed by some of the nations’ leading utilities in Washington D.C. Join us to discuss these critical issues where both technical and legal professionals can learn, collaborate, and network together in a cohesive, content-driven environment.

[ymae_line]

Learning Outcomes

• Discuss leading trends in next-gen cyber challenges and innovative solutions
• Survey a landscape of international cyber threat and case study procedures
• Identify best practices in supply chain risk management
• IT/OT and Smart Integration security (SCADA, IoT, AMI)
• Explain new CIP-5 NERC compliance standards and treatment of critical infrastructure
• Review risk management methodology and assessments
• Communicate strategies for effective cyber security prioritization
• Distinguish important information on cyber contracting and litigation
• Discuss PPP programs and connections like InfraGard, NCCIC, e-ISAC
• Collaborate on important co-existing problems between IS/IT and legal professionals
• Highlight cloud migration case-studies and treatment of critical infrastructure information

Credits

EUCI is accredited by the International Accreditors for Continuing Education and Training (IACET) and offers IACET CEUs for its learning events that comply with the ANSI/IACET Continuing Education and Training Standard. IACET is recognized internationally as a standard development organization and accrediting body that promotes quality of continuing education and training.

EUCI is authorized by IACET to offer 1.0 CEUs for this event and 0.3 CEUs for the workshop.

 

Requirements for Successful Completion of Program

Participants must sign in/out each day, be in attendance for the entirety of the course

Instructional Methods

Power Point presentations and open discussion will be used

Monday, September 9, 2019

12:30 – 1:00 p.m. :: Conference Registration

1:00 – 1:15 p.m. :: Opening Remarks

1:15 – 2:45 p.m. :: KEYNOTE PANEL: Protecting Critical Infrastructure and Next-Gen Cyber Issues

The electric utility industry is evolving rapidly. Distributed resources, the rise of the Internet of Things and increasing engagement with the consumer bring many advantages but also increase responsibilities to anticipate new and more numerous cyber-attack surfaces and protect large volumes of sensitive data. This expert panel will share ideas on how to bolster grid resiliency and develop effective risk mitigation strategies.

Moderator:

Laura Schepis, Sr. Director, National Security, EEI

Panelists:

Fred Bonewell, Chief Security, Safety, and Gas Officer, CPS Energy

Daniel Mishra, Director of CIP Compliance, JEA

Chris Cummiskey, President, Cummiskey Consulting & former DHS Undersecretary and Arizona Senator

2:45 – 3:15 p.m. :: Networking Break

3:15 – 4:00 p.m. :: Keynote Address

As a new U.S. Government agency, the Cybersecurity and Infrastructure Security Agency (CISA) works with public and private sector partners to defend against today’s threats and to increase security and resilience in our critical infrastructure.  The opening comments will outline CISA’s priorities, the tools and resources available to partners to assist in defending against the threats we face, and ways to communicate and collaborate with CISA to help accomplish the mission.

Bill Ryan, Region III Director, CISA

4:00 – 5:00 p.m. :: The Cyber Threat Landscape Facing Electric Operations

Electric sector asset owners and operators regularly see headlines on potential cyber-nexus attacks on utilities and related infrastructure, but seldom does such sensational reporting add context and mitigation to vague stories of intrusions. Instead of latching on to discrete end-stage events, grid operators must instead view the cyber threat landscape as representing a continuum of risks running from inadvertent ransomware infection through dedicated, deliberate operations designed to disrupt. Based on this extended view, organizations can begin grasping the entirety of the network-focused risk landscape and begin identifying potential defenses and mitigation techniques. Attendees of this talk will leave with the following insights and knowledge:

• An overview of recent intrusions and threats to the electric sector
• In-depth analysis of specific intrusion and disruption risks to electric utility operations
• Resilient and flexible defensive strategies to reduce risk and ensure organizational resiliency

Joe Slowik, Adversary Hunter, Dragos

Tuesday, September 10, 2019

8:00 – 8:30 a.m. :: Continental Breakfast

8:30 – 8:45 a.m. :: Opening Remarks

8:45 – 9:30 a.m. :: Insider Threat & Industry Security

Across all industries and government, insider threats can equal or exceed external threats both in number and impact. The APS Insider Threat Program is a partnership of Corporate Security, Human Resources, Cybersecurity and Legal resources to timely and discreetly identify, investigate and adjudicate all potential physical, cyber and financial threats by employees or badged contractors, in coordination with other business units as deemed appropriate.  These threats include, but are not necessarily limited to, workplace violence and sexual misconduct, theft, fraud, embezzlement, bribery, vendor kickbacks, data exfiltration and network/system sabotage. Insider Threat awareness and training is regularly provided to the workforce, with special messaging towards leadership at all levels, including emphasis on timely reporting, confidentiality and no tolerance for retaliation against witnesses and victims.

Michael Anderson, General Manager of Enterprise Security, Arizona Public Service

9:30 – 10:30 a.m. :: Electric Sector Leadership on Critical Security Challenges 

Across the investor-owned, cooperative and public power segments of the industry, EEI is focusing through the ESCC on supply chain, grid security emergency orders, and ongoing deficiencies in information-sharing. As the ESCC evolves and strengthens its capabilities, EEI is presenting very clear information and requests to government partners aimed at identifying and removing barriers to improved security.  EEI is also supporting an ongoing effort to build up partnerships with the telecommunications, finance, oil & natural gas, water and transportation sectors.   

Laura Schepis, Sr. Director, National Security, EEI

Patrick Hart, Director, National Security Policy, EEI 

10:30 — 11:00 a.m. :: Networking Break

11:00 a.m. — 12:00 p.m. :: PANEL: Risk and Threat Assessment Methodology and Benchmarking Criteria

Cyber-attacks threaten the grid thousands of times every day, causing utilities to set up appropriate risk mitigation initiatives.

In order to effectively prioritize, utilities need to accurately evaluate criteria for threat vectors, control options, and trade-offs. This panel will discuss different approaches to threat methodology, risk management, and cyber-readiness.

Panelists:

Charles Salas, Manager of Realtime Systems Security Engineering, Exelon

Benjamin Gilbert, Cybersecurity Advisor, Region III, CISA

Michael Anderson, GM of Enterprise Security, APS

12:00 – 1:00 p.m. :: Group Luncheon

1:00  – 1:45 p.m. :: Risk Profiling and Nuances of ICS/OT

Utilities require comprehensive procedures for identifying threat and appropriately prioritizing its security. This presentation will cover details of the ICS/OT risk profiling process.

Charles Salas, Manager of Realtime Systems Security Engineering, Exelon

1:45 – 2:30 p.m. :: Enterprise Reliability Risk Management

The energy industry experiences thousands of attacks on the grid every day with the risk of unsuccessfully missing one being catastrophic. For this reason, it is imperative that utilities set up clear models of reliability, quality, and risk management. What are the requirements of a sufficient cyber-protection system and how do we define the goals of ERM.

• Discover differences between ERM & compliance management
• Consider variables in top down vs. bottom up security management
• Discuss issues with using risk matrices for ERM

Michael DeLoach, Executive Director, Risk Transformation Office, RSA Security

2:30 – 3:00 p.m. :: Networking Break

3:00 – 3:45 p.m. :: Promoting Reliable Methods for Prioritizing Security and Communicating Risk to Corporate Leaders

Technology is rapidly evolving at a rate that is difficult to manage for the energy industry. Increasing numbers of IoT, DERs, and Smart Grid applications cause there to be an increasing tension between technology and security. One significant issue for IT/IS professionals is being able to effectively communicate these risks to company leaders in a way that effectively prioritizes a resilient grid. This session will explore techniques for handling risk appropriately within the utility and handling new technology in an effective and safe way.

• Risk communication and security prioritization
• Next generation cyber issues
• Appropriately managing security protocol and threat

Chris Cummiskey, President, Cummiskey Strategic Solutions

3:45 – 5:00 p.m. :: FEDERAL PANEL: Government Regulation and Public Private Partnerships (PPP)

The federal government involves a handful of agencies in the process of cyber-threat prevention and after breach has occurred. This panel will consist of agency representatives discussing federal roles, programs, and advice on regulations like CIP.

Moderator:

Paul Tio, Partner, Hunton Andrews Kurth

Panelists:

Matthew Wombacher, National Infrastructure Coordinating Director, US DHS

Franco Cappa, Cybersecurity Advisor, CISA

Joel Max, Intelligence Analyst, FBI Cyber Division

Allie Schott, Management and Program Analyst, FBI Cyber Division

Fundamentals of ICS Threat & Cyber Resilience

Monday, September 9, 2019

8:00 – 8:30 a.m. :: Workshop Registration and Continental Breakfast

8:30 – 11:30 a.m. :: Workshop Timing

Overview

Like other parts of critical infrastructure, utilities face advancing cyber security threats to their corporate and field environments.  Regulators have mandated in their jurisdictions that these threats be addressed ultimately through compliance with cyber security requirements.  However, because of the complex nature of control systems, utility cyber security programs face much greater challenges in providing needed cyber security controls.  Further complicating the situation are newer digital components, virtual computing, and cloud technologies being implemented that are challenging many preconceived notions of how technology is used in power generation and delivery. 

As the options for access and control become more complicated, cyber security becomes more important to the overall safety of the environment.  Threats are rapidly evolving, and the industry is struggling to balance asset availability with cyber security to keep malicious actors at bay.  Regulators continue to refine their guidance, and the industry is racing to keep up.  Notwithstanding growing questions and concerns from Utility Boards of Directors over cyber security, each audit of compliance requirements yields new insight into regulator concerns over cyber security in the energy industry. 

This workshop is an in-depth introduction to cyber security issues facing utilities today.  It is meant as a primer to give the necessary background for all staff to understand the concepts and complexities of cyber security and compliance with regulatory standards.

Learning Outcomes/Agenda

• Discuss current value at risk from cyber security threats facing electric utilities
• Analyze cyber threats and vulnerabilities
• Discuss cyber security compliance, key implementation strategies, and current events
• Review practical on-premise and cloud techniques for risk management and data protection
• Articulate holistic cyber security program strategies focused on prevention

Instructor:

Robert Schuler, CISSP, Manager, Cyber Security Strategy, Accenture Security

Mr. Schuler is a cyber security strategy manager and technical thought leader with 19 years of cyber security risk management and systems security engineering experience across multiple industries.  Over this period, he has become a recognized expert in both North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) and Nuclear Energy Institute (NEI) cyber security guidance for utility control systems. 

Mr. Schuler’s industry outreach activities have included frequent speaking engagements delivering control system cyber security courses and speaking on industry panels, where his technical knowledge and interactive style is helping key industry participants reach a shared understanding of cyber security threats, compliance standards, and how to build secure, best-practice architectures while meeting compliance objectives.

He recently led a CIP Version 5 program development project at a large utility, which was focused on guidance of the subject matter expert teams toward shared agreement, facilitating process refinement and development, and aligning organizational culture with program expectations. 

He advises government and private sector organizations on high-performing cyber security architectures in critical or control system environments.  He also counsels industry regulators regarding compliance requirements and builds consensus on suggested improvements to address following the intent of a particular requirement.

Michael Anderson, General Manager of Enterprise Security, Arizona Public Service

Fred Bonewell, Chief Security, Safety, and Gas Officer, CPS Energy

Franco Cappa, Cybersecurity Advisor, CISA

Chris Cummiskey, President, Cummiskey Consulting & former DHS Undersecretary and Arizona Senator

Michael DeLoach, Executive Director, Risk Transformation Office, RSA Security

Benjamin Gilbert, Cybersecurity Advisor, Region III, CISA

Patrick Hart, Director, National Security Policy, EEI 

Joel Max, Intelligence Analyst, FBI Cyber Division

Daniel Mishra, Director of CIP Compliance, JEA

Bill Ryan, Region III Director, CISA

Charles Salas, Manager of Realtime Systems Security Engineering, Exelon

Laura Schepis, Sr. Director, National Security, EEI

Allie Schott, Management and Program Analyst, FBI Cyber Division

Joe Slowik, Adversary Hunter, Dragos

Paul Tio, Partner, Hunton Andrews Kurth

Janna White, Supervisory Special Agent, FBI

Matthew Wombacher, National Infrastructure Coordinating Director, US DHS

REGISTER NOW FOR THIS EVENT:

Utility Cyber Security Challenges, Readiness, and Risk Management

September 9-10, 2019 | Washington,DC

Buy 4 in-person seats and only pay for 3! For this event every fourth in-person attendee is free!