By Allen Kent, NERC CIP Specialist, NAES Corporation
I attended GridSecCon2018, the NERC E-ISAC security conference, in October 2018. Every other year E-ISAC has put on a GridEx incident response exercise including Responsible Entities and government agencies from across the country, but that will be held starting at the 2019 GridSec. I have wanted to participate in GridEx for years but haven’t had the opportunity yet. It really requires an entire entity to participate to get full value, though I’ll try to observe what I can.
There was a four-hour workshop on building an effective Security Awareness Program by Curricula at the conference. This was very interesting as Nick Santora spoke about understanding human behavior and what historically works in awareness and what doesn’t, including positive reinforcement vs negative reinforcement. Interestingly, the next day Bill Fehrman, President & CEO of Berkshire Hathaway Energy spoke about how his company has a zero tolerance for employee’s clicking on phishing emails and individuals can get terminated for a repeated failure in their routine phishing tests (negative reinforcement). They take personal performance seriously there.
Nick gave two examples of positive reinforcement, both involved tying something in the training back to the real world. In one training, DeeDee is the attacker sending phishing emails, so they placed Defend against DeeDee stickers (pictured) around the facility to remind people to be vigilant with their email. In another training, a red cube with BCA written on it was used to identify cyber assets that required protection. Similar red “BCA” squeeze toy cubes were placed in areas where BCA were located, e.g. the control room, as a reminder.
Melanie Frye, President & CEO of WECC, spoke about the need to break down people’s disassociation with NERC compliance and the departmental silos, particularly between IT & OT personnel. She emphasized that compliance is less of a burden than a breach. Having worked seven years in NERC compliance, I can relate that some people simply want nothing to do with it. Similarly, security itself has been shunned but has become an essential aspect of all our work, like it or not.
Here are some takeaways from a threat panel of industry and cybersecurity experts:
- Warfare (including cyber) is a means to influence another nation
- The wellspring of risk is dependence
- Cyber-attacks have converged and now have the ability to impact both IT & OT systems. Defense systems (like a SIEM) aren’t as capable of converging event information between IT & OT yet (but they’re getting better)
- Cybersecurity should be part of your PPE
- Don’t be misled by the media misinformation
- We’re all guardians of the grid!
I also found out that E-ISAC has an industry engagement program that allows an RE representative to spend a week at the E-ISAC working with the analysts to see what happens on the ‘inside.’ Check the NERC website or contact E-ISAC for more information.