The National Electric Sector Cybersecurity Organization (NESCO) was established by the U.S. Department of Energy to enhance cybersecurity information sharing in the electric sector. NESCO is operated by EnergySec, a nonprofit, and provides members with tools like a collaboration portal, rapid notification system, and Tactical Analysis Center. NESCO has grown significantly since its inception and aims to be fully industry-funded after an initial seed period supported by the Department of Energy.
EnergySec & National Electric Cyber Security Organization (NESCO) Overview by Patrick Miller, EnergySec
1. EnergySec & National
Electric Cyber Security
Organization (NESCO)
Overview
2012 Technologies for Security and Compliance Summit
The Anfield Group
August 1-2 2012
Barton Creek Resort – Austin, TX
2. New, New Security Model
Nation State quality adversaries
Fear the auditor more than
attacker
Regulatory avalanche forecast
Constant compromise
Ecosystem of organizations
Information sharing is holy grail
2
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
3. Info-Share to the Rescue!
What does Information Sharing
really mean?
– Taking vs. Sharing
– Secrecy for secrecy’s sake
– Government doesn’t share well
(yet)
Very useful approach, but not a
panacea
Comes with trade-offs…
3
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
4. Information Sharing Reality
Some Pros…
What works, what
doesn’t
Benchmarking
Situational
awareness
Tactical threat and
vulnerability analysis
Community-sourcing
Regulatory
compliance
Mentoring
4
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
Some Cons…
Classification and
handling, both Gov
and Corporations
Lawyers,
agreements and
contracts
Consumers will
always outnumber
sharers
Trust; n parties
Doesn’t scale well
5. Who is EnergySec?
Unique, non-profit, independent, public-
private information sharing organization
Borne from Energy Sector
Bottom-up vs. top-down
TRUSTED
– By the industry, for the industry
– Non-profit 501(c)(3)
– Independent, private
– 10+ years of information sharing experience
5
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
6. EnergySec Background
10.2001: Precursor to E-Sec NW formed
7.2004: E-Sec NW formalized and “founded”
– Asset owner/operator ONLY; all volunteer
1.2008: SANS Information Sharing Award
12.2008: Incorporated E-Sec NW as
EnergySec
10.2009: 501(c)(3) nonprofit determination
4.2010: EnergySec applied for NESCO DOE
FOA
7.2010: EnergySec awarded NESCO FOA
10.2010: NESCO became operational
6
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
7. What EnergySec Is NOT…
Not a lobbyist
Not a vendor
Not a consultant
Not government agency
Not a regulator
7
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
8. EnergySec Staff
Extensive applied sector experience
– Many years employment at asset owners
– Operations, security, audit, Sr mgmt, OT, IT
– Regional Entity leadership
– Independent consulting; big firms and
boutiques
– Built several successful companies
– EnergySec founders, Info-sharing pioneers
– Certified, trusted, highly connected, dedicated
8
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
9. EnergySec Programs
NESCO: Information Sharing &
Best Practices
Advisory Service
EnergySec University
– Education/Workforce
Development
LIGHTS: Security in a box
(turnkey)
– Independent board
– Partnership with ICS-ISAC
9
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
10. EnergySec Nonprofit
Umbrella
EnergySec
NESCO Advisory University Other…
10
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
11. EnergySec Advisory
Customized agenda; facilitated discussion
Examine current and horizon energy
sector specific cyber security legislation
Explore methods to meet compliance
obligations and enhance security posture
Present threat, vulnerability and impact
landscape to executives and staff
Highest concentration of advisors with
unique and hard-to-find combination of
experience
11
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
12. EnergySec University
Professional/workforce development path
– Internal expertise as instructors
– Open faculty roster from best and brightest
– Courses in all IT/OT security-related
disciplines
Internship matchmaking – coming soon
Working closely with National Board of
Information Security Examiners (NBISE)
12
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
13. What Is NESCO?
R. 3183 “...the Secretary shall establish an
independent national energy sector cyber security
organization...”
– Department Of Energy issued FOA on March 31, 2010
Purpose is to “establish a National Electric Sector
Cyber Security Organization that has the knowledge,
capabilities, and experience to protect the electric
grid and enhance integration of smart grid
technologies that are adequately protected against
cyber attacks.”
“This organization will serve as a focal point to bring
together domestic and international experts,
developers, and users who will assess and test the
security of novel technology, architectures, and
applications.”
13
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
14. NESCO Objectives
Organize, lead and implement a public-private
partnership
Focus cybersecurity research and development
priorities
Identify and disseminate security best practices
Organize the collection, analysis and dissemination of
infrastructure vulnerabilities and threats
Work cooperatively with the DOE and other Federal
Agencies
Enhance cybersecurity of the bulk power grid and
electric infrastructure
14
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
15. Who Is NESCO?
15
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
• Public
• Private
• Non-Reg
• Regulatory
• Fed, State…
• Product
• Service
• IOU
• Muni
• Coop
Asset Owners Vendor
Academia/Research
Govt
16. Connect & Support
16
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
Utility
Asset
Owners
17. Membership Growth
17
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
18. Member Demographics
18
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
Academic
5%
Asset Owner
49%
Govt/Regulatory
11%
Vendor/Other
35%
Membership by Organization
Academic
2%
Asset Owner
64%
Govt/Regulatory
12%
Vendor/Other
22%
Membership by Individual
363 unique organizations1,050 Individual members
Predominately Asset Owner Driven Membership Base
19. Membership Overview
NESCO Members of Sept 30 2011 (1
year)
– 788 NESCO members
– 278 unique organizations
NESCO Members as of July 12 2012:
– 1050 individuals
– 363 unique organizations
Note: This represents a nearly 50% annual
growth rate
19
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
20. Social Media Outreach
NESCO mailing list: 3536
NESCO Twitter followers: 2635
NESCO LinkedIn group members: 535
20
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
21. Direct Outreach
3 Town Hall meetings
19 Voice of the Industry (VOI)
meetings
82 TAC notices; 149 follow up
threads
71 presentations/panels
94 event participation
37 blog mentions
43 interviews and article citations
21
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
22. Engage, Equip & Empower
22
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
Sharing requires trust
Trust is built on relationships
Our approach…
– Bringing people together
– Flexible technology options and
solutions to extend and enhance
relationships
– Organic growth; birds of a feather
23. NESCO Is Technology
Secure collaboration portal
– Wiki
– Working groups
– Discussion forums
– Email distribution lists
Rapid Notification System
Social Media
– LinkedIn, Twitter, Facebook
23
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
24. NESCO Tools
24
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
Email distribution lists
Secure collaboration wiki
Secure instant messaging
Rapid notification
mechanisms
Resource repository
Most technologies have non-
attribution (anonymous)
options
25. NESCO Resource Repository
25
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
Best/common practices
Policy, process, procedure
Compliance approaches
Document Templates
Code snippets, scripts
System configurations
Links to useful security sites
And more…
26. NESCO Tactical Analysis
Center
Supports ES-ISAC and ICS-CERT
Open & private source intelligence
Asset owner volunteer handler
SMEs with virtual “dashboards”
Rapid, community-sourced analysis
Secure communications
Rapid notification system
Daily diaries, trending
Quarterly & annual reports
26
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
27. ES-ISAC, ICS-CERT and TAC
An analogy… triage and long term care
Basic differences of the TAC
– Operated by an independent non-profit org
– Not associated with a federal regulatory agency
• DOE partner is non-regulatory
• Funding expires in 2014, only “seed” money provided
• Funding model involves cost-share, so industry bears
cost throughout entire effort
– Electric sector specific
– Provides feeds, when requested to NERC & DHS
& …
27
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
28. ES-ISAC, ICS-CERT and TAC
Basic differences of the TAC
– Covers all entities, not just Registered Entities
under the NERC Functional Model
• Not just Bulk Electric w/ CA and CCA
• Includes smart grid, distribution, QF generation
– NESCO staff work alongside industry handlers
– RNS has direct access to security staff
– Volunteer reporting structure, not mandatory
– Private position offers unique vendor
relationships
– Anonymized pass through for bi-directional
sharing
28
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
29. NESCO Products
Whitepapers
– DNS Exfiltration
– Security Logging Best Practices and
Capability Maturity Models
– Public Key Infrastructure, Automated Metering
Infrastructure and Industrial Control Systems
– DOE Electric Sector Cybersecurity Capability
Maturity Model (ES-C2M2) – coming soon!
– What else would you like to see?
29
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
30. NESCO Products
Rapid Notification System
– Night Dragon webcast
– Duqu webcast
– Multiple TAC notices
30
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
31. NESCO Success Stories
31
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
…is fantastic
that [DOE
produces] a
document that
deals with a
subject so
technical and
that it makes
available to
the public.
http://goo.gl/0xiWp
32. NESCO Success Stories
Spearphishing notices from asset owner
shared with DHS for action
– Result: DHS ICS-CERT advisory issued
Accounts from service contractor posted to
Internet reviewed for asset owner data
– Result: Direct contact warning to specific
parties
32
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy.
33. NESCO Success Stories
Exposed control systems posted on
Internet matched to asset owners
– Result: Direct contact warning to specific
parties
EnergySec spearphishing attempt
– Result: Cross-organization comparison with
general industry advisory; IOCs published
33
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
34. NESCO Success Stories
Industry and [some] Regional Entities
seeking to modify process for Technical
Feasibility Exceptions to maximize security
benefit
– Result: NESCO provided independent and
impartial discussion forum, webinar and
industry feedback loop for proposed change
to process
34
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
35. NESCO Success Stories
35
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
36. NESCO Funding Model
Department of Energy FOA
Cooperative agreement
Cost-share is ~40%, ramps
over life of 3.5 year “seed”
window
At end of seed
window, NESCO is fully
funded by industry
Supported by underwriters
and TAC subscriptions
36
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
37. NESCO Summary
Focused on building trust through
relationships to further security
collaboration and sharing
Flexible technology facilitates and
catalyzes information/resource sharing
efforts
Supports existing successful programs
Security voice of the electric sector
37
7/31/201
3
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
38. Get Connected
EnergySec Summit: September 25-28
– NESCO Town Hall
– CISO Forum
– Policy and Technical Tracks
EnergySec University Courses
– NERC CIP Training: Las Vegas 10/25
– NERC CIP Training: Sacramento 12/4
– Cybersecurity for Operations: Nashville 11/7
NESCO Voice of the Industry (VOI)
Meetings
38
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
39. Get Connected
www.energysec.org
www.energysec.org/join
www.energysec.org/tac-subscription-
service
TAC@energysec.org
New NESCO website soon!
39
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
40. Questions?
40
7/31/201
3
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
Patrick C Miller
Principal Investigator, National Electric Sector Cybersecurity Organization
President & CEO, EnergySec
patrick.miller@energysec.org
503.446.1212 (desk)
@patrickcmiller (twitter)
www.energysec.org