Document Heading in Calibri Light Green That Can Be up To

Home , Deloitte

2020 Deloitte Power & Utilities Conference Knowledge to thrive December 2, 2020 Cyber security: Securing and protecting the digital utility and grid

Sharon Chand , Principal, Deloitte & Touche LLP Sam Icasiano, Senior Manager, Deloitte & Touche LLP Robert M. Lee, CEO and Co-Founder, Dragos, Inc. Agenda

Opening Remarks 4 Cyber Threats in the Digital Grid 5 Hot Topic: Secure Supply Chain 8 Hot Topic: Cyber Security in Renewables 11 Takeaways 14

On a scale of 1-5, rate your familiarity with cyber security risks for your type of organization? • 1- Novice • 2- Advanced Beginner • 3- Competent • 4- Proficient • 5- Adept

$600B+ $3.92M 93% 600%

Estimated cost of Average cost of a of all cyber attacks Increase Internet of cyber-attacks to data breach as of involve financial or Things (IoT) the global 2019.[2] espionage attacks.[4] economy.[1] motivations.[3]

Sources: [1] McAfee “Economic Impact of Cybercrime— No Slowing Down” Feb 2018 https://www.keymethods.com/2019/02/cybersecurity-outlook-2019/#:~:text=A%202018%20McAfee%20report%20Economic,per%20cent%20of%20global%20GDP. [2] https://www.varonis.com/blog/cybersecurity-statistics/ [3] Verizon’s 2017 Data Breach Investigations Report, https://www.verizondigitalmedia.com/blog/2017-verizon-data-breach-investigations-report/ [4] Symantec 2018 Internet Security Threat Report, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/istr-24-cyber-security-threat-landscape Copyright © 2020 Deloitte Development LLC. All rights reserved. 2020 Deloitte Power & Utilities Conference 5 Power, Utility & Renewables threat landscape Threat landscape continues to expand as value chain transforms with increased digital transformation.

Electric Utility Transmission & Customer Corporate Generation Value Chain Distribution Management Services

Today

Residential Commercial consumers consumers

Advanced inter-connected Smart generation solutions Automation of with advanced Residential Commercialandself-service manual functions Tomorrow consumers monitoring and consumers and activities controls Smart trans-missionand distribution

What do you consider the biggest risks from a cyber security perspective to your organization's operations? • Data breach or loss • Malware attack • Compliance incidents • Safety risk • Compromised Infrastructure • Financial impact • Risk not listed

• 2009 | Shodan Common attack entry points from Search engine to find Internet-connected devices (including control the supply chain include: system devices) • July 2010 | Stuxnet Attack on SCADA control systems irreparably damaged centrifuge equipment at Iranian nuclear facilities Malware Ransomware • October 2010 | Metasploit The security tools was developed to explore system vulnerabilities; hackers began using it to target Industrial Control System (ICS) devices Viruses Watering holes • August 2012 | Shamoon Virus destroys data as means to disrupt operations. Hit 15 state and private entities in Saudi Arabia • December 2015 | Ukraine Power Grid 1 (BlackEnergy) Attackers deployed SCADA-related plugins to control ICS and turn off power to 230,000 residents of western Ukraine • 2016 | Ukraine Power Grid 2 (CrashOverride) Designed to attack electric grids, it took down a Ukrainian transmission-level substation and caused an outage by leveraging legitimate grid operations against the grid itself • January 2017 | Shamoon 2 However, threat actors can introduce This second round of the virus hit a number of state agencies and private sector companies in Saudi Arabia compromised components into a system, • August 2017 | Trisis/Triton unintentionally or by design, at any point of a Penetrated the safety systems of a petrochemical plant in Saudi Arabia. Designed not just to destroy data or shut down the plant but to sabotage operations and trigger an explosion1 system’s life cycle. • Winter 2018 | Critical Infrastructure Vendors US-CERT alerts state-sponsored attacks on critical infrastructure vendors 2

Sources: 1 Managing cyber risk in the electric power sector, Deloitte Insights, Jan 2019. 2 US-CERT Alert (TA18-074A), National Cybersecurity and Communications Integration Center, Mar 16, 2018.

Copyright © 2020 Deloitte Development LLC. All rights reserved. 2020 Deloitte Power & Utilities Conference 8 Personas in the Secure Supply Chain ecosystem Manufacturers and Developers Service Provider Buyers / Users of Products Produces products, hardware and software, that are then utilized Provides to help consumers meet business objectives. Purchases products and services from providers in order to meet by other firms to operate their business. business objectives.

How do I confirm my Does my team know How do I enforce From where do I source Am I delivering my How do I evaluate software is free of how to properly handle compliance with terms, the sub-components of services in a secure security risks for malicious code? Am I sensitive client conditions, and other my products? manner? specific vendors? using stale code? information? obligations?

Am I tracking when Will my product pass Has my product been Am I bringing secure Who are my key team members roll- How do I monitor my the consumer’s risk securely handled after devices into a client suppliers working with? on/roll-off vendors security risk? processes and meet coming off the environment? Fourth/fifth parties? regulatory obligations? production line? engagements?

Is there a backdoor in Are my team members Can I prove I complied How do I prove out What’s the risk of my product? What do I Am I storing client qualified to assist the with standards in the product provenance? Is deploying this product, do if my existing information on my own client with the development of my this product I’m service, or software in product becomes assets? particular project product? installing authentic? my company? compromised? scope?

Regulatory Agencies and Industry Groups How do I protect national security through supply chain How do I balance safety, security, while maintaining healthy How do I protect consumers through supply chain mechanisms? regulation? competition in the marketplace?

What are the supply chain threats your organization are most worried about? • Grid/SCADA compromise • IP theft • Third-party data introduction of malware • Poor information security practices by vendors • Compromised components in purchased equipment

Copyright © 2020 Deloitte Development LLC. All rights reserved. 2020 Deloitte Power & Utilities Conference 10 Cyber security for Distributed Energy Management/Storage Management Systems IoT and cloud computing technologies are expected to advance distributed energy and battery management systems

Potential Threats from Cybersecurity Cyber Attack Defense Strategies for IoT and Cloud Blockchain for Trustworthy IoT network and data Vulnerabilities security • Strategies for Securing IoT software • Unauthorized Software Updates/Changing • Blockchain is a distributed chronological ledger − Design the secure coding of the IoT devices that maintains a continuously growing list of data • Source Codes at Internet of Things (IoT) devices records secured from tampering and revision. − Format source codes as libraries, executables • Unauthorized Access to Data Storage in IoT and obfuscation codes • Blockchain is hosted, updated, validated by Devices individual peer nodes rather than by a single • Strategies for Network Security centralized authority, the block chain improves • Insecure IoT Network Protocols − Authentication key-enabled IoT protocol for IoT the trust, security, and transparency of • SQL Injection Attack to Cloud Database network transaction. • Unauthorized Cloud Access from Unauthorized − TLS/SSL Security for the TCP/IP protocol IoT Devices/Botnets − Key-based authentication for SSH security • Strategies for SQLI Mitigation Methods − Constrain and sanitize input data − Use type-safe SQL parameters for data access

Intrusion into the company’s Compromise of a trusted third- Infiltration of a company’s Inability to update or patch network that leads to party company or vendor that network that leads to a data manufacturing machines based exfiltration of intellectual leads to an intrusion within the breach of customer data, on incompatibility with older property or disruption of company’s network company confidential or other machines or a need for high manufacturing by a competitor sensitive information. availability (e.g., unable to have to gain a business advantage extended downtime)

Third-Party Vendors Data Breach Patching & CVEs Cyber Espionage

Potential Impacts: Potential Impacts: Potential Impacts: Potential Impacts: - Network compromise - Global Data Protection Regulation - Increased likelihood of device - Physical machine disruption - Privileged account abuse (GDPR) or other applicable fines compromise - Blocked business expansion - Direct access to third-party tools on - Reputational impact - Persistent vulnerabilities - Supply chain compromise company’s network - Customer loss - Incompatibility of security software for - IP and R&D theft - Leaked IP or Trade secrets monitoring

What do you think can help improve your organization's security levels? • Executive (IT/OT) steering committees • Better employee security awareness • Advanced security technology • Larger budgets • Senior management commitment • Growing our security teams

Specific actions you should own

• Start with your team • Engage in the business case • Understand the risks • Understand your assets (Business, IT and OT)

Key questions you should ask

• How is cyber security risk measured? • Where can cyber leverage more automation? • How is cyber security reinforced in our culture? • Do we have an independent assessment of our security?

Cyber is about starting things, not stopping them. With security at the forefront, build a smarter, faster, and more connected future that allows for the freedom to create in an era of complexity.

Sharon Chand Sam Icasiano Principal Senior Manager Deloitte & Touche LLP Deloitte & Touche LLP +1 312 486 4878 +1 973 602 6091 [email protected] [email protected]

Robert M. Lee CEO and Co-Founder Dragos, Inc. +1 855 372 4670 [email protected]

Copyright © 2020 Deloitte Development LLC. All rights reserved. 2020 Deloitte Power & Utilities Conference 16 This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.