Cybersecurity Update Cascade Natural Gas

MDU Resources Group, Inc. 1+ million customers / 4 utility brands / 8 states Gas • Electric • Propane

Cybersecurity Management Structure CIO Director - Enterprise Security & Governance Manager – Cybersecurity Cybersecurity Engineers Cybersecurity Administrators Cybersecurity Architects (internal ethical hacker) Director – Enterprise Operations Support / Utility Operations Board of Directors Retired, former chairman and chief executive officer of CA Technologies Previously held executive positions with IBM Corp. and ICON Office Solutions Inc. Expertise: Corporate governance and technology

Goal 2: Cybersecurity Enterprise IT (EIT) Strategic Plan Secure IT systems and networks, keeping ahead of evolving cyber threats. EIT will develop and implement information security policies to align with regulatory requirements while following the SANS 20 Critical Security Controls. Goals include the adoption of common cybersecurity tools and policies to enable secure communications, along with designing an IT architecture with resiliency as an always on state, built to survive failure. IT systems and networks are proactively managed and monitored to ensure weaknesses are identified, compliance with the best practices is maintained, and risk- based strategies are in place to adjust to rapid changes in the threat landscape SysAdmin, Audit, Network, Security (SANS)

Goal 2: Cybersecurity Enterprise IT (EIT) Strategic Plan 2.1 SANS 20 Critical Security Controls Maturity and Operations Technology (OT) Security 2.2 Cybersecurity Employee Awareness 2.3 Enhanced security with advanced technology 2.4 Increased visibility and use of Information Security Management System

Cyber Risk Oversight Committee (CYROC) Formed in 2012 to focus on the full range of cyber risks the Company faces, including strategic, financial, operational, regulatory, information technology, security, health and safety, and reputational. Authorized by the Board of Directors CIO – Chair IT leaders from the Business Units who are appointed by the CEO to serve as voting members. CFO, Legal, Communications & Internal Auditing staff members Non-voting advisory members of the CYROC

Cyber Risk Oversight Committee (CYROC) Stay current on the cybersecurity environment front Evaluate, review and recommend cybersecurity tools Review, determine and recommend cyber-risk tolerance Plan and Review cybersecurity activity Table Top Exercises – GridX, INNGA, Black Hills Security Table Top Physical Security Review – Security Team, Utility Group Operations, Internal Audit Security and Operations team detailed review of technology and connectivity Reviewing automation technology for OT environments Penetration Test, Phishing & Smishing exercises

CIRP Committee Cyber Incident Response Plan The purpose of the CIRP Committee is to prepare for and respond to significant Cyber Incidents affecting the Company. Primary advisor to the CYROC and the MPC in making determinations regarding Breach notification and response. Cyber Incident Detection, Reporting and Assessment Internal Notification Process  Cyber Incident Handling and Response Quarterly Plan Review / Annual Plan Test

Planning & Review Cybersecurity policy/strategy/governing doc – EIT Strategic Plan Auditing – Internal & External (D&T/Business, Enclave/Technical) Cybersecurity Update – Quarterly Review Cybersecurity plan Test – Annually (Internal & External), Random National Organizations – Newsletters, e-Mail, Scheduled Sessions US-CERT, ICS-CERT, AGA-Cybersecurity Strategy Task Force, DNG-ISAC, etc…

National Cyber Strategy Of the United States of America Outlines the Administration’s plan to address cybersecurity nation-wide through four pillars: Protect the American People, the Homeland, and the American Way of Life Promote American Prosperity Preserve Peace through Strength Advance American Influence

WesternEnergy Institute CIO Forum - Sept 26th Getting Into the Mind of a Cybercriminal Executive Security Advisor How do underground groups conduct attacks? Where do they communicate and coordinate? What products and services do they buy and sell? Review basic hacking and OSINT (Open Source Intelligence) techniques. See how easy it is to profile and get all the information you need on your target Visit underground and dark web websites where identity theft and malware customization is bought and sold

Procurement Practices Best Practices Guide - Due-Diligence Questionnaire EIT Review / Corporate Legal Review HR Involvement 3rd party background checks Non-Disclosure Agreement Independent Vendor Rating Service Third Party Management Vulnerability Assessment

Risk Management Security Information Event Management Real-time analysis of security alerts generated by applications and hardware Monitoring traffic entering and leaving IT and OT environments 24x7 3rd Party Monitoring Vendor Contract - Hacking Ethical Hackers identify vulnerabilities before the bad actors do Vendor Contract - Penetration Test (2-year vendor rotation) External Test conducted the week of Sept. 10th (1-week engagement) Internal Test starting the week of Sept 10th (3-week engagement / hidden) Vendor Contract - Scanning Scans websites to detect and analyzes potential malicious files and URLs “Phishing” and “Smishing” 3rd party exercises (Employee awareness effort continues)

R&D Artificial Intelligence and Machine Learning Software Robots Bad actors are developing automated hacks that are able to study and learn about the systems they target, and identify vulnerabilities, on the fly We need to be prepared to counter with our own advanced response Software Robots Bots for streamlining business processes Bots to assist with security processes Blockchain Decentralized, distributed electronic ledger built on the model of offering absolute security and trust

Standards, Reporting, Partnerships Cybersecurity framework - SANS 20 Critical Security Controls Prioritization of Cybersecurity systems – Threat Analysis & Review Reporting – Outlined in our CIRP (Cyber Incident Response Plan) Partnerships AGA Natural Gas Security Committee & Cybersecurity Strategy Task Force WEI (Western Energy Institute) / NCEA (North Central Electric Association) DNG-ISAC – “Downstream Natural Gas Information Sharing and Analysis Center” / E-ISAC DHS/FBI/State Organizations Etc.….