Cybersecurity Leadership

(1)

Cybersecurity Leadership

How does Dynamic Enterprise Security Governance

benefit ICS Security?

Christopher A. Peters

(2)

Overview

•

A Perilous Time in Boston during 1775

•

Fast Forward Today

•

Internal Challenges

•

Leadership-driven Solutions

(3)

1775: FUD Headlines

3

Boston Intelligencer Extra

Battle of Bunker Hill Rages

Patriots Hold Fire Until Whites of Eyes Seen

Lexington Post

(4)

Boston 1775: Situation Dire

Washington

(5)

5

Boston 1775: The Paradigm Shift

Moves 59 Pieces of Artillery - 300 Miles - to Dorchester Heights Middle of the Winter!

Fort Ticonderoga

Washington Turns to Henry Knox

• 25 Years Old

• Former Street Fighter

• Boston Book Seller

• Paradigm Shifter

• Guns of Ticonderoga

(6)

Boston March 1776: British Evacuate!

We must acknowledge two additional considerations that are significant as multipliers of combat power: SURPRISE and

(7)

(8)

A Big Company with Big Challenges

•

15,500 miles of Transmission Lines

•

1,800 Substations

•

82 Fossil Units

•

11 Nuclear Units

•

30,000 MW of Generating Capacity

•

2.7 Million Customers

(9)

WE NEEDED TO ENHANCE OUR CYBER GOVERNANCE

• Elevate Executive Awareness

• Comprehensive Strategy

• Workforce and Vendor Management

• Long-term Capital Planning

• Technology Alignment Across the Enterprise

• Regulatory Excellence

• Building Accountability

9

IN OTHER WORDS. WE NEEDED TO BE BETTER LEADERS!

To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other

organizational roles that lack the authority, accountability, and resources to act and enforce compliance.*

* Carnegie Mellon University

(10)

“Problems: 85% of people don’t care that you have

problems at your company; the other 15% are glad

you have them”

Lou Holtz

* WE ALL HAVE PROBLEMS THAT

REQUIRE SOLUTIONS!

(11)

11

Problem #1: Asymmetric Threats

• Put simply,

asymmetric threats or techniques

are a version of

not "fighting fair,"

which can

include the use of surprise in all its operational

and strategic dimensions and

the use of

weapons in ways unplanned by the United

States.

• Strategy that

fundamentally alters the terrain

(12)

Problem #2: Multiple Regulations

• Impossible to Govern in

Silos

• Single Version of the

Truth is Essential!

 _Cost

 Technology  Performance  _Compliance

(13)

13

Problem #3: Geographically Dispersed ICS Silos

Energy Delivery Fossil Generation Systems Planning and Operation (SPO) Entergy Wholesale Commodities (EWC) Nuclear Business unit

responsible for the transmission and distribution system of the Entergy operating companies.

Business unit which operates and supports 89 Entergy fossil and hydro generating units. Business Unit responsible for dispatching generation,

acquiring fuel, and procuring

resources to meet Entergy’s needs.

Business Unit

responsible for the functions and assets of Entergy's non-utility generation business. Business Unit responsible for operating 11 reactors in 9 locations across Entergy’s Northeast and Southern locations.

(14)

“The best way to predict the future is to create it.”

Peter Drucker

(15)

Strategy Design

• Enhance Governance and Oversight

• Centralize CIP, OT, and IT

• Capital/O&M Planning

• Connect the Business

• Establish Command and Control

• Build the Cross-Functional Cybersecurity Team

• Strengthen the Culture

• Implement Continuous Monitoring

(16)

Leadership Objective #1: Take Action

We don’t have a 5 – Year Plan;

we have a 5 minute Plan!

(17)

17

(18)

Leadership Objectives #3 and 4: Operate in the Fog and

Drive Solutions

(19)

(20)

Transmission Generation Systems Planning Entergy Wholesale Nuclear

• Forge Connections

• Reduce Friction

• Address Corporate-wide Operational Risk Issues

• Make Decisions

(21)

2. Strengthen Cyber Security Governance

22

Oversight Structures

• OCE (especially CFO and COO, and EVP, HR&A)

• Reliability Oversight Committee

• Corporate Compliance Committee

• Information Technology Advisory Council

• Cyber Security Leadership Team

Management

•VP, Chief Information Officer

•Director, Corporate IT Security

•VP, Critical Infrastructure Protection

•Director, Corporate Security

•Functional Cyber Security Oversight Committees

Workforce

•Transmission

•System Planning and Operations

•Fossil

•Nuclear

•Entergy Wholesale Commodities

Single View •Technology • Finance • Awareness • Compliance • Policies and Procedures • Laws and Regulations

(22)

3. Build a Cross-Functional Team

• NIST SP 800-

82 “Securing Industrial Control Systems”

• New Capabilities to Augment Existing Personnel

 _{Executive Leadership}

 _{Operational IT Management}

 _{Internal / External IT Audit and Advisory experience}

 _{Broad-based industry experience}_– _{The 360 View}

 _{Utilities, Oil and Gas, Healthcare, Department of Defense, Fortune 500}

Manufacturing, Banking, Telecommunications, Nuclear

 _{Multiple Frameworks}

 _{COBIT, COSO, NIST, HIPAA, ITIL, ISO, GAAP}

• Human Capital Planning is Critical to Success!

(23)

4. Strengthen the Culture

• Culture of Security, Leadership, and Compliance

 Office of the Chief Executive Briefings  Cross-Business Unit Awareness Webinars

 _{Briefings with the Entergy Chief Operating Officer}  Training

 Public-Private Partnership Participation  _{Encourage Tactful Dissent}

(24)

5. Establish Command and Control

• Inventories

• Situational Awareness

• Executive Reporting

• Decision Making

• Trend and Causal Analysis

• Regulatory Status

• Capital and O&M Spending

• Threat Management and Status Monitoring

(25)

6. Information Sharing

• Nuclear Energy Institute (NEI)

• Edison Electric Institute (EEI)

• North American Transmission Forum (NATF)

• Electric Power Research Institute (EPRI)

• ES-ISAC

• Intelligence Community

• Law Enforcement

• Louisiana Fusion Center

• Homeland Security

(26)

7. Monitor Our Security and Compliance State

Programs to assess the effectiveness of our controls

• NIST 800-137

• Penetration Testing

• NERC CIP Cyber Vulnerability testing

• Readiness Assessments

• Internal Audit General IT Controls Testing

• Identify and Remediate gaps, vulnerabilities, and weakness

Security Controls Implement Monitor Assess Remediate

(27)

Benefits

 Senior Executive Engagement

 Informed Decision Making

 5 Year Capital Plan

 Improved Efficiency and Performance

 Strengthened Entergy and Vendor

Workforce

 Rapid Reaction to Change

 Enhanced Cyber Protections through

Technology Roadmapping

29

 Senior Executive Leadership is Essential!

 3 Types of People to Get On the Bus

 Action Oriented

 Operate in the Fog

 Work Across Multiple Organizations

 Tap the Existing Talent Pool

 Fundamentals are King

 Think Enterprise

Lessons Learned

Leadership Takeaways

Last Word: Never underestimate the impact that effective leadership has on the security state of your organization

• Take Action

• Operate Seamlessly in the Fog

• Keep it Simple