Town Hall: Security Risk Management Practices for Electric Utilities
Event Information
Description
Host Utiltiy
Event Sponsors Event Partners
Event Description
Security risk management is a topic of continued discussion in the electric sector. It can be a daunting task and often overwhelming when faced with trying to implement the many security risk management models available.
This town hall style meeting brings together many of the industries leading security professionals to explore security risk management practices for the electric sector in depth. You will have the opportunity to participate in open discussions with security risk experts, hear about solutions implemented by utility security teams and learn about security risk management guidelines from the actual authors.
Targeted Audience
Senior level industry executives, cyber security experts and peers from the security and utility communities, key decision makers and subject matter experts in critical infrastructure protection, cyber security and electric utilities.
To Reserve Your Room
$139 per night group rate. Reservations must be made by May 15, 2012. Use this link - New Orleans Marriott or call 504-581-1000 with the group code: NESNESA.
For a PDF copy of this agenda click here.
Interested in sponsoring this event? Click here for the event sponsorship prospectus.
Pre-Town Hall Event
CISO Summit
National Grid and the NESCO are holding an invitation-only CISO summit prior to the town hall meeting. If you are interested in knowing more about this summit, please contact us at info@energysec.org
May 29th: Noon - 5pm
May 30th: 8am - Noon
Town Hall Agenda
May 30, 2012
12:00 PM - NESCO Town Hall Registration Opens
1:00 PM - Keynote Speaker - William Bryan, U.S. Department of Energy, Deputy Assistant Secretary, Infrastructure Security and Energy Restoration
Manage Risk Before it Manages You
What happens when the process to manage risk becomes greater that the risk itself? Network intrusions and cyber incidents are happening every day, everywhere to nearly everybody so the “risk” is upon us and in most cases is broad, recognized and understood. So..shouldn’t the management of this risk be relatively simple and structured? Cyber-security is a tough problem but it is not unsolvable.
1:30 PM - Presentation - Matthew Light, U.S. Department of Energy, Infrastructure System Analyst
Overview of the Cyber Security Risk Management Process (RMP)
The Department of Energy, in coordination with the National Institute for Standards and Technology (NIST), and the North American Electric Reliability Corporation (NERC), is leading a public and private sector collaboration to develop a cybersecurity risk management process (RMP) guideline to provide a consistent, repeatable, and adaptable process for the electric sector that will enable organizations to proactively manage cybersecurity risk. The objective of this collaboration is to build upon existing guidance and requirements to develop a flexible risk management process tuned to the diverse missions, equipment, and business needs of the electric power industry. The guideline looks holistically at the organization across both information technology and industrial control systems.
2:30 PM - Networking Break
3:00 PM - Open Discussion w/ Expert Panel
What Risks Are We Trying to Manage?
Jackie Stewart, former British racing driver and team owner from Scotland, once said “There is no doubt that Formula 1 has the best risk management of any sport and any industry in the world.” This is because Formula 1, as an industry, has spent many years researching its risk portfolio. They know exactly what to measure, have determined their risk tolerance level as an industry and have established a mature practice of measuring risk as part of their business model.
The electric sector does this well on the operations side with many risk assessment practices being utilized on a daily basis. But what about security risks? What are we doing about those risks? This discussion session will explore the security risks that we should be managing to help enable the high level of reliability we expect of the power grid.
Moderator: Brandon Dunlap, Brightfly, Managing Director of Research
Panelists:
Prudence Parks, Utilities Telecom Council, Director of Government Affairs and Legislative Counsel
Robert Coles, National Grid, CISO & Head of Digital Security and Risk
Dave Lewis, AMD, Senior Information Security Analyst
Ben Tomhave, Lockpath, MS, CISSP, Principal Consultant
Chris Peters, Entergy, Vice President Critical Infrastructure Protection
5:00 PM - Reception hosted by Entergy
Please join us in congratulating Evan Pena from the University of Texas at San Antonio. He was the winner of the 2012 US Cyber Challenge SCADA Quest and we are pleased to honor him at this wonderful reception hosted by Entergy. Mike Assante, President and CEO of NBISE will be presenting the award. You will learn about the US Cyber Challenge program and have a good time doing it as well. The networking will certainly be worth the price of admission (free).
May 31, 2012
7:00 AM - Registration Opens
7:45 AM - Opening - Patrick Miller, National Electric Sector Cyber Security Organization, Principal Investigator
8:00 AM - Keynote Speaker - Wade Baker, Director, Research & Intelligence at Verizon Business
The Value of Evidence-Based Risk Management (EBRM)
Based on forensic evidence collected while investigating some of the largest data breaches in history, Wade Baker will present a rare view into the world of corporate cybercrime. Over the last eight years, Baker and his colleagues have investigated and compiled data on over 2500 confirmed breaches, and shared this research with the community in Verizon's annual Data Breach Investigations Reports. The presentation will delve into the actors, techniques, and motives behind corporate data breaches, and provide views into the the dataset that have never been published.
While examining breach trends provides a fitting backdrop for the talk, the overall goal is to demonstrate the value of “Evidence-based Risk Management” (EBRM). Borrowing from the concept of evidence-based medicine, EBRM aims to apply the best available evidence gained from empirical research to measure and manage information risk. Security incidents, whether large or small, are a huge part of that “best available evidence.” With better analysis around these incidents - as well as those experienced by others - organizations can more effectively and efficiently target tactical and strategic measures to help reduce risk.
9:00 AM - Presentation - Katie Jereza, Energetics Incorporated, Program Director/U.S. Resilience Project, Liaison
Aha! Valuable Tools for Managing Supply Chain Risk
Did you know that best practices in supply chain risk management can already help narrow the risk of compromised or counterfeit components entering the smartgrid supply chain? The U.S. Dept of Energy and George Mason University, working with the U.S. Resilience Project, have identified a number of business processes and tools drawn from the electric, electronics, software, telecommunications, chemical, defense industrial base, aerospace, and heavy manufacturing sectors that you can leverage today to ensure the integrity of products in your supply chain. Find out more about these tools and how we are working to build a framework for public-private collaboration that builds on existing supply chain best practices to manage cyber risks in the smart grid.
10:00 AM - Networking Break
10:30 AM - Presentation - Craig Miller, NRECA, Senior Program Manager
Cyber Security From The Heart
The Cooperative Research Network working with the rural electric cooperatives has developed an approach to cyber security which emphasizes self assessment and development of a plan for continuous improvement rather than specific technical standards. The idea is to allow utilities at very different stages of maturity in cyber security to get started and move along a well defined, documented, and proven path. After initial success (more than 1300 downloads), CRN is working on improvements to the guidance documents, reference materials and templates, incorporating the DOE’s new Electric Sector Cyber Security Resiliency Maturity Model Initiative.
11:30 AM - Lunch Break hosted by AlertEnterprise
1:00 PM - Open Discussion w/ Expert Panel
What Are We Doing to Solve the Problem?
With any good problem, there are many solutions to be had. Rarely is there a single solution and with the complexity of the power grid there are no “one size fits all” answers. There is, however, common ground and lessons to be learned.
This discussion session will dive into practices that are already being utilized in the electric sector to address security risks of the power grid. We will be asking for new ideas to augment gaps that may have been identified in the day one open discussion and we will be encouraging the sharing of practices that are proving to be successful. Together we will make strides to reach the finish line in the race to secure the grid
Moderator: Brandon Dunlap, Brightfly, Managing Director of Research
Panelists:
Craig Miller, NRECA, Senior Program Manager
Jack Whitsitt, TSA/DHS, Team Lead, Cyber Security Awareness and Outreach
Louis Dabdoub III, Entergy, Manager, Corporate Security
Mark Ellister, Eugene Water and Electric Board, Sr. Security Specialist
Karl Perman, North American Transmission Forum, Director of Security
3:00 PM - Town Hall Concludes
Bios
William Bryan - Mr. Bryan is the Deputy Assistant Secretary for Infrastructure Security and Energy Restoration in the U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability (OE). As a career Senior Executive, Mr. Bryan oversees the collection, analysis, and dissemination of vital information to all involved in energy response and restoration efforts. Mr. Bryan leads DOE's efforts in the coordination and collaboration of energy sector-related reliability and resiliency activities between the energy industry and the federal government. He also leads the office in support of the electricity , oil, and natural gas industries in the development and implementation of infrastructure protection strategies and methodologies both at home and abroad. Mr. Bryan holds a Master of Science in Strategic Intelligence from the Joint Military Intelligence College in Washington D.C. He also holds a Bachelor of Science in Logistics Systems Management (Summa Cum Laude) from Colorado Technical University in Colorado Springs, CO.
Wade Baker - Mr. Baker is the Director of Risk Intelligence for Verizon. In this role, he oversees the collection, analysis, and delivery of data relevant to understanding and managing information risk. Prior to his tenure at Verizon, he was an independent consultant and spent 5 years on the faculty of two major research universities, most recently in the Pamplin College of Business at Virginia Tech.
A researcher at heart, Baker’s work on various topics has been published in a number of academic journals, professional magazines, industry reports, and books. Baker is the creator, author, and primary analyst for Verizon’s Data Breach Investigations Report series.
Robert Coles - Robert's experience in the field of risk and information security has been wide and varied for organizations such as KMPG and the Royal Bank of Scotland. Directly before joining National Grid he was Chief Information Security Officer for Merrill Lynch. He helped the Information Systems Audit & Control Association develop the Certified Information Security Manager (CISM) examination and was an examiner for over 5 years. In 2003 he was a founder of the Institute of Information Security Professionals in the UK and served as a Director and Treasurer for the Institute until 2010. Robert undertakes research and actively publishes in his field, he obtained his PhD from the University of Leeds on the psychology of information risk and security, focusing on how we can make better judgements about risk by understanding perceptions, and he is currently working with a consortium of European Universities under the European Union funding program in the area of critical national infrastructure policy. At National Grid, Robert is the Chief Information Security Officer and Head of the Digital Risk and Security function, reporting to the CIO. His job is fundamentally about understanding the changing nature of the treats and risks to the National Grid business and electricity/ gas information and systems, and ensuring that appropriate countermeasures are in place to manage risks.
Louis S. Dabdoub III - Louis Dabdoub is the Corporate Security Manager at Entergy. Previous to joining Entergy, Louie had experience in emergency management, counter-terrorism, homeland security, local law enforcement and public-private sector security organization and response. Just prior to joining the Entergy Team he served as the Supervisory Protective Security Advisor (SPSA) for the gulf Coast Area, (LA,TX,MS,AL, and FL Panhandle), for the U.S. Department of Homeland Security, and was based in the New Orleans, Louisiana Field Office. In this capacity, he worked closely with homeland security, law enforcement and emergency response counterparts at all levels of government as well as with security specialists throughout the private sector. Additionally, as directed by the Assistant Secretary for Infrastructure Protection, he also served as the Senior DHS representative in a Joint Field Office for Infrastructure Protection during times of national disaster. He also holds the designation of CPP with ASIS, the highest title in the Security Industry world wide.
Brandon Dunlap - Brandon Dunlap has more than 15 years of experience managing business technology risk in large and small organizations. He has served in a variety of roles across heavily regulated industries, successfuly leading all aspects of IT security programs, including policy and procedure management, oversight and control, strategy, architecture, development, and training. Currently, he is the Managing Director of Research of Brightfly, an independent, advisoryand research firm that focuses on building a collaborative practitioner community and bridging the gaps within information technology, security, risk, compliant and audit disciplines.
Mark Ellister - Mark is a Sr. Security Specialist with Eugene Water & Electric Board. Mark has been in the cybersecurity field for more than 18 years working with various local government agencies on regulatory requirements including HIPPA (Health Insurance Portability and Accountability Act), CJIS (Criminal Justice Information System), as well as NERC CIP (Critical Infrastructure Protection). Mark has a background in electrical engineering as well and enjoys designing and building high voltage vacuum tubes in his spare time.
Katie Jereza - Katie Jereza (pronounced her-ay-sa) is director of the cybersecurity program at Energetics Incorporated, where she manages strategy and technical support to the DOE Office of Electricity Delivery and Energy Reliability R&D Program. Katie is known for her work in fostering public-private partnerships that help raise broad awareness and drive action on infrastructure protection and resilience issues. In 2009, she won the International Technical Publications Excellence Award for her work with the Roadmap to Secure Control Systems in the Water Sector. In 2011, Katie helped the Energy Sector Control Systems Working Group update the Roadmap to Achieve Energy Delivery Systems Cybersecurity and the Nuclear Sector Joint Cyber Subcouncil develop the Roadmap to Enhance Cyber Systems Security in the Nuclear Sector. Katie holds a B.S. in Chemical Engineering from Virginia Tech and an M.B.A. from Loyola University Maryland.
Dave Lewis - Dave Lewis has over 15 years industry experience. He has extensive experience in IT operations and management. Dave is the founder of the popular security site Liquidmatrix Security Digest. Prior to his current role, Dave worked in finance, healthcare, entertainment and critical infrastructure verticals. He has worked for a defense contractor as a security consultant to clients such as the FBI, US Navy, Social Security Administration, US Postal Service and the US Department of Defense to name a few.
Matthew Light - Matthew Light is an infrastructure analyst for the Office of Electricity Delivery and Energy Reliability at the U.S. Department of Energy (DOE). He is responsible for developing analytic products, information plans and policies, and coordinating with federal and private sector partners as part of DOE's role in protecting critical energy infrastructure under the National Infrastructure Protection Plan (NIPP). Currently, he is leading the joint public and private sector effort to develop the Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline. Prior to joining DOE, Matt worked for MITRE, a federally funded research and development center, supporting the Department of Homeland Security, Office of Infrastructure Protection. Matt started his career as a civilian nuclear engineer working for the U.S. Navy at Puget Sound Naval Shipyard. He holds a B.S. in Materials Engineering from Rensselaer Polytechnic Institute and a Master of Public Policy from Georgetown University.
Craig Miller - Dr. Miller has more than 30 years of senior project management experience in the power and high tech industries with work ranging from plant repowering in former Soviet bloc countries to market solutions for sulfur dioxide reduction in the US. He has managed large multi disciplinary teams implementing custom hardware and software systems on projects up to $120M for Fortune 100 corporations and the Federal government. He was a pioneer in several areas of information technology including electronic data interchange, online trading systems and the architectural foundation of cyber security. In 1997, he was awarded a gold medal by the Smithsonian Institution for "Heroic Achievement in the Advancement of Information Technology." In 2008, he joined NRECA to lead the organization's $68 million smart grid demonstration project and related research efforts in advancing the smart grid. He holds a Ph.D. in Systems Engineering from the University of Virginia, has been a serial and successful entrepreneur, and an inventor.
Patrick Miller - Mr. Miller has dedicated his career to the protection and defense of the North American critical energy infrastructure. He is the founder of EnergySec, and currently it's President and CEO. Patrick is also the Principal Investigator for the National Electric Sector Cybersecurity Organization (NESCO). Patrick's diversity of professional experience is one of his strengths. In the energy industry, he has covered all business and operational aspects, holding positions with asset owners, a regulator, and private consulting firms. He has also held key roles in the Insurance, Internet and Telecommunications sectors. Among other credentials he has earned the CISA and CISSP certifications. Patrick is an active member of several critical infrastructure security working groups and committees and an established speaker on the subjects of critical infrastructure protection, industrial and process control system security, smart grid security, regulatory compliance, audit, and privacy.
Prudence Parks - Prudence Parks is the Director of Government Affairs and Legislative Counsel for the Utilities Telecom Council. Prudence brings more than 25 years of legislative and political experience to her work representing UTC and it's members in Washington. Her accomplishments include amendments to the Communications Act of 1934 exempting utilities from spectrum auctions; a federally mandated report by the Department of Commerce on the uses of spectrum by utilities and pipelines; the recognition of secure and reliable communications capabilities as essential to smart grid deployment under the Energy Policy Act of 2005; and appropriations for Smart Grid and broadband grants under the American Recovery and Reinvestment Act of 2009. She also served as a contributor to the NSTAC report to the President on the Telecommunications and Electric Power Interdependencies Task Force Report, and subsequent efforts to implement the recommendations contained therein. Currently, she is actively engaged in the cyber security debate taking place on Capitol Hill, DHS, DOE and the FERC. Prudence holds an undergraduate degree from Colby College and a law degree from the George Washington University.
Ben Tomhave - Ben Tomhave, MS, CISSP, helps global enterprises, SMBs and service partners unlock the real promise of integrated governance, risk and compliance in his current role as Principal Consultant for Lock Path, a market-changing GRC software company. A distinguished author and experienced speaker, he currently serves on the OWASP NoVA chapter board, the Society of Information Risk Analysts board, and as the co-vice-chair of the ABA InfoSec Committee. He is also a member of ISSA and the IEEE Computer Society, and earned a MS in Engineering Management from The George Washington University with an InfoSec Management concentration.
Jack Whitsitt - Jack Whitsitt brings a breadth of cyber security knowledge and thought leadership to any discussion. His early efforts, which have been cited in IEEE papers, thesis research, and other works include leading an open source development group in creating novel tools to respond to attacks, creating new methods of correlating and visualizing large scale security information, and supporting large US government and civilian incident response teams looking at traditional IT networks. More recently, Whitsitt has been working in the areas of control systems (SCADA) security and national level risk management, partnership, and information sharing. In 2009 and 2010, he worked for Idaho National Lab as an early member of DHS's national ICS-CERT team as a part of the DHS NCCIC responding to critical infrastructure incidents of national consequence. Currently, he is a federal employee supporting TSA in it's capacity as the Sector Specific Agency (SSA) for transportation (including pipeline) security. In this role, he has been facilitating a national initiative for transportation implementing a reasoning framework for guiding strategic national cyber security policy within the sector and to provide organizations with national level insights into their own individual risk management efforts.