Engineering and Construction Security Peer Group (ECPG)

06.07.2017

Tim Potier, Vice President & Chief Security Officer

2

Agenda

• Introductions

• ECPG Defined

• Focus Areas

• Success Stories

• Logistics

Biography

• Chief Security Officer, Parsons Corporation (2012 – Present)

• Former Chief Information Security Officer, Northrop Grumman Shipbuilding (14 years)

• Active in Information Security community

2017 RSA Executive Panel

Chair ECPG

Cal Polytechnic Cyber Board

Chief Information Security Officer Executive Committee

ISACA, InfraGard, DSIE, DIB, ASIS

CAISWWG and iTen Wired Speaker

• Focus on all things “security”, including information assurance, physical and industrial security, government security, risk management, compliance, and governance

3

TIM POTIER

What is the ECPG?

Community of security executives from corporations within the Engineering and Construction industry,

committed to maturing the security capabilities of the industry through continuous and confidential

communication and information sharing.

4

Genesis

• In the Summer of 2014, the US Department of Defense formally announced an proposed amendment to the DFAR, requiring advanced cybersecurity controls for any company performing work in their support.

• In parallel, advancing US and international regulations in the areas of security, privacy, and compliance were becoming evident.

• Upon my arrival at Parsons, the company was formulating a strategy to address future compliance requirements. Coming from the Aerospace and Defense Sector, one of my initial actions was to consult with peer companies on their strategy.

• At that time it was readily apparent that no structured collaboration organization existed for the Engineering and Construction industry, so I started one!

5

Initial Observations

• Absence of any relationships or regular communication ongoing between the security professionals in the Engineering and Construction industries (leadership or technical levels). Stark difference from many other sectors

• Significant variation in interpretation of security compliance requirements, even when companies were partnered in support of a specific customer or project

• Significant differences in security support services, staffing, management, and organization.

Role of the CISO, reporting relationships, organization

Number of staff

Budget

• Strategic roadmaps were inconsistent across member organizations

• Zero group leverage being utilized in supplier, vendor, and partner management

• Very little representation as an industry in national and international events, conferences, marketing segments

6

Focus Areas

Although primarily represented by members with a focus on traditional information security, the ECPG is not limited to that domain.

• Information Security: Focuses on the protection of electronic information, assets, and systems.

• Physical Security: Focuses on the safety and protection of human resource assets and facilities. Includes disaster recovery, business continuity planning, crisis management, and executive protection

• Industrial Security: Focuses on the complete security portfolio for classified information processing environments (think Secret, Top Secret, NATO, etc).

• Governance Risk & Compliance: Although a critical component of the aforementioned, focus is given to regulatory security and compliance frameworks such as NIST and ISO.

Strategy and Goals

Build a network of security executives in the Engineering and Construction Industry

Encourage strategy evaluation and information sharing

Encourage technical and program management security resource collaboration across constituent companies. Information sharing, threat intelligence sharing, etc.

8

Develop a set of minimum security standards that the members can agree on, for use when evaluating suppliers, partners, and internal security control implementation

Assess opportunities for collective leverage with major industry suppliers (AutoCad or Bentley for example)

Success Stories: Regulatory Change

9

Illustrates the benefit of having the ability to consult with peer companies while assessing the impact of regulatory change.

Recent airline carry-on baggage policy changes impacted security postures of multiple companies. Collectively, the group was able to determine the risk of the new policies and share communication and mitigation strategies.

The one that started the group…the DFAR. There have been multiple publications of the DFAR rules, and in each instance, the ECPG has been able to assess impact and make recommendations to the members. This also highlights the value of having leading roles in other industry working groups, and how that information can benefit all members.

NISPOM 2 was published in late 2016, and with it came a new requirement for developing an Insider Threat Program. One member is Chairman of the ASIS Insider Threat Working Group, and was able to share draft program frameworks and policies with members, which were otherwise unavailable.

CASE

1CASE

2CASE

3

Success Stories: Technology Selection

10

Illustrates the benefit of having the ability to consult with peer companies while considering new technology deployment.

One company was able to avoid significant investment in a multi-factor authentication technology that it was considering, after hearing about problems from another member. Further consultation with the technology provided identified multiple deficiencies in the tool, resulting in selection of another tool.

CASE

1CASE

2CASE

3

As an industry, the ECPG is presenting a unified front in terms of requirements for security features in major industry software companies, like Autodesk and Bentley

Implementation of Windows10 introduces risks for data loss for “features” like telemetry. As an industry, we have been able to identify mitigating controls.

Success Stories: Threat Intelligence Sharing

11

Illustrates the benefit of having the ability to share security threat intelligence across multiple organizations. Broad-spectrum coverage.

Three member companies were attacked by the same financial fraud scheme, which occurred within a short timespan. Identification of the threat, along with indicators of compromise, and sharing that information with other members successfully thwarted additional attacks, saving potentially millions in fraudulent activity.

Highlights the importance of having member organizations with broad engagement in other sector working groups

WannaCry Ransomware. The ECPG was able to quickly provide threat indicators and defense strategies to its constituent members, within hours of the first publicized attacks.

CASE

1CASE

2

Success Stories: Security Policy

12

Illustrates the benefit of having the ability to consult with peer companies while developing overall security policy and governance.

CASE

1CASE

2CASE

3

Prior to 2017, there was no consistency in the standard security terms and conditions in member contracts. The ECPG was able to collaborate on standard security requirements which are available for use by member organizations.

The publication of Acceptable Use Policies (AUP) was wildly varied across most member organizations. The ECPG was able to collaborate on a framework for AUPs, which is now being leverage by many members.

Security frameworks are numerous and varied, but through continuous collaboration, the ECPG has demonstrated preference for NIST and ISO. Framework mapping, policy, and procedures and discussed and shared between members

Rules of Engagement

• Currently Chaired by Tim Potier (Parsons); no additional official roles defined

• The ECPG is currently an informal organization, with no formal membership application or agreements required.

Consideration is being given to requirements for a Non-Disclosure Agreement, but today, “what happens in Vegas, stays in Vegas”

We recognize that members are partners AND competitors in the marketplace, so care is taken to ensure intellectual property and competitive information is strictly guarded and not shared unless formally authorized

13

• Admission to the group has to be approved by a majority of constituent members, and is limited to corporations with ties to Engineering and Construction

• Currently, all members are US Persons, although some companies are foreign owned

• All discussions are treated as confidential, and not shared with any members outside the ECPG unless approved by pertinent member

Logistics

• Monthly Teleconference for All Members

Meeting has agenda posted in advance, and concentrates on actions from previous meetings and any strategic security topic proposed by a member

Working Group briefs are also presented

Limited to members only, and no suppliers or vendors are invited

Delegates or substitute participants must be approved in advance

• Ad-Hoc Meetings

These meetings serve to provide audience for any supplier presentations that are excluded from the monthly meeting

Working Groups meet to focus on specific strategic initiatives

• In-Person Meeting

Tentatively planned for Q4 2017 at Jacobs Engineering for entire group

Multiple one-on-one meetings have taken place between various members

14

Charter

15

Charter and Mission

The ECPG is a non-profit peer group supporting the community of Information

Security practitioners of the Engineering and Construction industry, enabling

members to leverage experience and expertise of each other for the more

effective and timely protection of their organization’s critical information assets.

The ECPG organizes meetings, panel discussions, conference calls and special

events to facilitate communications among its members and the general

information security community.

Membership

Membership in the ECPG group is by current member referral and approval by

the team (or board or president). Members must be related to the Engineering

and Construction industry, and must be the highest operational security

practitioner, e.g. CISO, Director or Executive Director, FSO, Manager of an

Engineering and Construction company or enterprise.

Participation

Membership has its privileges and its responsibilities. Membership in the peer

group is based on trusted sharing under non-attribution. Opportunities for

sharing include but not limited to:

Response to surveys

Sharing of operational experiences and guidance

Sharing security best practices

Participation in panel discussions at local conferences and events

A minimum level of annual participation must be maintained, including monthly

conference calls.

Peer Group Member Alternates or Delegates

A member representing an organization may identify a full-time employee from the

same organization as a delegate to attend events, meetings, conference calls and

special interest groups in a calendar year. If a member leaves the peer group, the

delegate is no longer authorized to participate unless approved by the team.

Special Interest Group

The ECPG may establish special interest groups to serve the membership and

provide focus on specific areas of knowledge, learning or technology. Members or

delegates cooperate to effect or produce solutions within their particular field, and

may communicate, meet and collaborate.

Engineering & Construction Peer Group (ECPG)

16

• Closing Remarks

• Questions

Thank You