CenSec Homeland Security Conference 2018 The Energy Sector

Michael Lisanti

Where Industrial Control System (ICS)

Attacks are coming from

Breakdown of origin countries for non-critical and critical attacks from Trend Micro SCADA honeypot research

“Hacker” Management Interface (HMI)

and ICS Vulnerabilities

Alert (TA18-074A) Russian Government

Cyber Activity Targeting Energy and Other

Critical Infrastructure Sectors Original release date: March 15, 2018 | Last revised: March 16, 2018

Cybersecurity Capability Maturity Model (C2M2) US Department of Energy (DoE)

• Public-private partnership

• Improve Energy Sector capabilities,

bench marking, knowledge sharing

• IT and OT best practices

• Informed by CMU SEI CERT Resilience Maturity Model

(CERT-RMM)

Cybersecurity Capability Maturity Model (C2M2)

Electricity Subsector Cybersecurity Capability

Maturity Model (ES-C2M2

Oil and Natural Gas Subsector Cybersecurity

Capability Maturity Model (ONG-C2M2)

100+ Faculty | University-Wide | 200+ Students | 1 CMU

Creating a world where people can trust technology

100+ Faculty | University-Wide | 200+ Students | 1 CMU

Creating a world where people can trust technology

Addressing the Cybersecurity Workforce Crisis CMU picoCTF: Inspiring Students in STEM

• World’s largest online hacking competition

• 75,000+ students from 1000+ USA

middle/high schools and 154 countries

have competed

• Supported by global sponsors

Norway classroom

CyLab Brings Together CMU’s Research Foundations in Security and Privacy

Network security

Computing

Policy People

Software security

Cyber physical systems and IoT

Hardware security

Language-based security and verification

Cryptography & Blockchain App

Trustworthy computing

Usable privacy and security

Behavioral science

Security Economics

Risk analysis & management

Adversary and threat modeling

Privacy engineering

Data Security & privacy regulation

Biometrics and authentication

Mobile security and privacy

Web and application

security

Systems security

Decision science

AI & Machine Learning

Privacy & Compliance

Uptime & Reliability

Scalability Safety & Security

Why is Securing IoT Challenging?

Speed & Cost

&

Secure and Private IoT Vision

OPERATE

DEPLOY

BUILD

Detect & Remediate (Months to Years)

TRUST

AUTONOMOUS HEALING

ACCOUNTABILITY

Detect & Remediate

(Milliseconds to Seconds)

Autonomous Software Defined

Networks (SDN)

Secure and Private IoT

Privacy-Respecting AI Reporting

Autonomous Healing

1

Trust 2

Accountability 3

Secure Primitives

City-Scale IoT

Progressive Strategy

Principles: Advancing IoT Security Research

Security is a Team Sport. Solve hard problems.

Sponsors participate, influence, integrate personnel throughout research lifecycle

Supports 8-10 graduate students, 1-2 professional developers

Build relationships with students, faculty, other sponsors

Make it Tangible. Build actual systems & software.

Annual Call for Proposal seeds innovation projects

Integrated IoT reference stack, incrementally refine

Living lab testbed extended to smart cities, other verticals

Open source, permissive license. Take research in-house

Amplify Investment. Make bigger impact.

$30MM+ in government funding

Sponsor funds pooled: $1M+/yr research funded (>5x amp.)

Goal: Develop IoT Reference Research Stack

Secure and Privacy-Respecting IoT

Open source end-to-end architecture, artifacts, platform for creating autonomous healing, trusted, accountable Internet of Things

Multiyear project and living lab testbed, deploying into smart cities, building on Carnegie Mellon CyLab security and privacy heritage

Partnering with a limited number of technology leader companies

#1 Competitive Computer Hacking Team (DefCon CTF competition)

#1 DARPA Cyber Grand Challenge Winner (Mayhem)

#1 World’s First Computer Emergency Response Team (CERT®)

#1 Cyber Security Graduate Programs (Universities.com)

#1 School of Computer Science (U.S. News & World Report)

#1 Artificial Intelligence (U.S. News & World Report)

100+ Faculty 200+ Graduate students

100+ security/privacy courses 25,000 ft2 of collaborative research space

1442 Faculty 14,528 Students

111 countries represented 7 colleges, global presence

Why Partner With Us?

#1 Startups Per Research Dollar (Association of University Technology Managers)

#1 Information & Technology Management (U.S. News & World Report)

#4 Computer Engineering (U.S. News & World Report)

#10 Best for New Hires (Wall Street Journal)

27,000 participants in world’s largest hacking contest (picoCTF)

215,000+ professionals trained in cybersecurity

Accolades

How would you like to collaborate on cybersecurity research and education?

Michael Lisanti Director of Partnerships

+1 412-268-1870 mlisanti@cmu.edu www.cylab.cmu.edu