DOE Cyber Security Policy Perspectives
|
|
- Gloria Angelina Mason
- 8 years ago
- Views:
Transcription
1 DOE Cyber Security Policy Perspectives Mike Smith Senior Cyber Policy Advisor to the Assistant Secretary Department of Energy
2 Overview of DOE Cybersecurity Priorities Protecting the DOE Enterprise from Cyber Threats Bolstering U.S. Government Capabilities to Address Cyber Threats Improving Cybersecurity in the Energy Sector 2
3 Improving Cybersecurity in the Energy Sector Build robust information sharing and situational awareness architecture Add additional energy sector entities to the Cybersecurity Risk Information Sharing Program (CRISP) Conduct threat briefings Provide tools and technology for owners and operators to strengthen security and resilience Expand implementation of the Cybersecurity Capability Maturity Model, which encourages adoption of best practices and informs cybersecurity investment decisions Develop and demonstrate cutting-edge cybersecurity solutions in the energy sector Develop a robust incident response capability in the energy sector Automate the workflow process for all stakeholders and responders to ensure faster, coordinated incident management Exercise incident response capabilities 3
4 CRISP Overview Description: The Cybersecurity Risk Information Sharing Program (CRISP) combines software tools, analytical hardware and software, and analytical expertise including private sector industry expertise - to understand and mitigate the threats focused on the nation s energy infrastructure. Vision: An enduring, trusted information sharing partnership between the Department of Energy and its private Energy Sector partners that significantly enhances the security of Energy Sector infrastructure systems while also improving the U.S. Government s critical infrastructure situational awareness 4
5 Cyber Fed Model (CFM) A near real-time exchange of cyber threat information focused on the reduction and mitigation of cyber security risk across our critical infrastructure Typically every 5-15 minutes Tactical (actionable info) Autonomic (machine-machine) Participant controls sharing Payload Agnostic 5
6 C2M2 Program ES-C2M2 Public-private collaborative effort Sector specific subject matter expertise Pilot evaluations ONG-C2M2 Tested and refined for ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies. C2M2 Without sector-specific references or terms of art Refined through the ONG pilots, and also via crosssector outreach 6
7 ES-C2M2 Introduction Challenge: Develop capabilities to manage dynamic threats and understand cybersecurity posture of the grid Approach: Develop a maturity model and self-evaluation survey to develop and measure cybersecurity capabilities Results: A scalable, sector-specific model created in partnership with industry ES-C2M2 Objectives Strengthen cybersecurity capabilities Enable consistent evaluation and benchmarking of cybersecurity capabilities Share knowledge and best practices Enable prioritized actions and cybersecurity investments 7
8 Framework - Introduction GOALS Reduce cyber risks to critical infrastructure Voluntary and Technology-neutral Improve cyber threat information sharing Incorporate privacy & civil liberties protections Leverage existing regulation to promote cyber security Repeatable and cost-effective design Flexible cross-sector approach DEVELOPMENT PROCESS Collaborative cross-sector workshops and public comments 8
9 NIST Cybersecurity Framework Released February 12, 2014 Developed in partnership with asset owners and operators, academia, and US Government A risk-based cybersecurity approach composed of the following three parts: Core a set of cybersecurity activities,outcomes, and informative references that are common across critical infrastructure sectors Profile represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories in the core Tiers (1-4) provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk 9
10 Guidance Development SUMMARY DOE is holding bi-weekly conference calls with the private sector stakeholders to engage them in the development of the Framework Implementation Guidance document. Draft Outline is being circulated for comments. DOE is collaborating with sector specific agencies and other interested government partners to seek their input on the Guidance document. It is anticipated that the Framework Implementation Guidance document for Energy sector will be released in October
11 Guidance Development APPROACH There are many potential tools for addressing Framework implementation. ES-C2M2 is one of many such tools. For organizations that prefer an implementation approach other than the C2M2, DOE is working with the Sector Coordinating Councils to develop and incorporate a general process addressing how alternative approaches may satisfy the goals of the framework. For organizations that use C2M2, the Implementation Guidance will highlight the interoperability between the NIST Cybersecurity Framework and DOE s C2M2 program. 11
12 Guidance Development FRAMEWORK AND C2M2 C2M2 Practices, which cover elements of both the Framework Core and Tier, address both sophistication of a cybersecurity program, as well as the culture supporting it. C2M2 Maturity Indicator Levels (MILs) tie with elements of the Framework Tiers. Each of the domain MIL scores in the C2M2 incorporate elements of the risk management characteristics from the Tiers. C2M2 Scorecards, which highlight the level of maturity across C2M2 domains, are almost identical to the concept of Framework Profiles, both current and target. 12
13 Framework Adoption The White House established a work plan for ten incentive working groups; one of which is the working group: Prudent Cybersecurity Investments and Opportunities for Utilities in the Electric, Natural Gas, Water and Telecom Sectors. The working group was tasked with incentivizing adoption of the Cybersecurity Framework The working group identified three target stakeholder groups: State and local regulators State policy makers Asset owners/operators 13
14 State and Local Regulators The CSF is a voluntary guideline that can be referenced when evaluating a utility s cybersecurity program Implementing the practices outlined in the CSF is one way to reduce the exposure to risks, which can have significant financial implications for utilities Adopting the CSF can assist both regulators and the entities they regulate as it may reduce risks to the private sector, their customers, and to society as a whole We want to work with you to create a common lexicon between regulators and regulated entities and the public and private sectors for managing cyber risk Using something other than CSF for a cybersecurity discussion with the regulated entities will create undue burden on these entities
15 State Policy Makers Cybersecurity, as outlined in the CSF, should be considered when developing policies for reducing risks and enhancing the resiliency of critical infrastructure We have identified and collaborated with several groups with existing relationships with regulators and policy makers who can assist in developing these policies (NASEO, NARUC, etc.)
16 Asset Owners/Operators The CSF can be used as a tool for evaluating cybersecurity programs Increased implementation of the activities in the CSF may lead to better informed documentation and consideration of the recovery of costs for cybersecurity related expenses There are several documents and guides which may be used to implement the activities in the CSF; for example, the American Water Works Association Cybersecurity Tool, the ES-C2M2 and the Draft Energy Sector Framework Guidance
17 Cybersecurity for Energy Delivery Systems R&D Structure Higher Risk, Longer Term Projects Core NSTB Program Frontier Research Academia Projects Minimum Cost Share Medium Risk, Mid Term Projects National Laboratory Led Projects Lower Cost Share Partnering Lower Risk, Shorter Term Projects Industry Led Projects Higher Cost Share Core & Frontier (NSTB) Argonne National Laboratory Idaho National Laboratory Oak Ridge National Laboratory Los Alamos National Laboratory Lawrence Berkeley National Laboratory Pacific Northwest National Laboratory Sandia National Laboratory Path to Commercialization Academia Led Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) - Cornell University - Dartmouth College - UC-Davis - University of Illinois - Washington State University SEI at Carnegie Mellon Laboratory Led Idaho National Laboratory Oak Ridge National Laboratory Pacific Northwest National Laboratory Industry Led Applied Communication Services Grid Protection Alliance Honeywell Schweitzer Engineering Laboratories, Inc. Siemens Infrastructure & Cities, Energy Automation Sypris 17
18 Cybersecurity for Energy Delivery Systems R&D Structure The second phase of an expanded academic collaboration that Energy Sector s Roadmap Roadmap to Achieve Energy Delivery Systems Cybersecurity NITRD Networking Information Technology Research and Development Issue a competitive solicitation for an academic collaboration Continue high risk/high payoff Frontier and Core research at the National labs Issue a competitive solicitation for the Energy Sector University-led R&D National Labled R&D Energy Sectorled R&D Combines expertise in power system engineering and the computer science of cybersecurity to innovate and transition capabilities that reduce the risk of power disruption resulting from a cyber incident. Maintains an academic collaboration in CEDS R&D after The Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) receives its final year of funding in FY14 National Lab research areas could include: Analyze the risk posed to the energy sector if energy delivery control systems were exploited by selected malware Tailored Trustworthy Spaces that tailor cybersecurity in all levels of the energy delivery system architecture Energy Sector research areas could include: Detect compromise of supply chain integrity for energy delivery system cyber assets Identify adversarial cyber activity that attempts to hide by misusing normally allowed operation of power grid components Survive a cyber incident while sustaining critical energy delivery functions. 18
19 Cybersecurity for Energy Delivery Systems Key Success: Lemnos Collaboration Transitions R&D to Practice Prototype Development Commercial prototype and open source configuration profile for interoperable secure routable energy sector communications EnerNex Corporation, Sandia National Laboratories, Schweitzer Engineering Laboratories, Tennessee Valley Authority, 7 Network Security Vendors Applied Research Open Process Control System (PCS) Security Architecture for Interoperable Design, known as OPSAID provides vendors of supervisory control and data acquisition/energy management systems (SCADA/EMS) with the capability to retrofit secure communications for legacy devices, and to design-in interoperable security for future energy delivery control systems Sandia National Laboratories CEDS projects engage national labs, vendors, asset owners, and academia throughout the project lifecycle to deliver relevant projects with clear commercialization paths. Field Demonstration Lemnos has become a broad industry partnership for secure, interoperable communications Increasing numbers of energy delivery system vendors have demonstrated Lemnos, today at least ten Open Source Solution Broad energy sector partnership uses Lemnos Interoperable, secure routable energy sector communications Commercial Product Schweitzer Engineering Laboratories Ethernet Security Gateway SEL-3620 implements Lemnos 19
20 Integrated National Response to a Cyber Incident In 2012, Deputy Secretary of Energy Daniel Poneman directed senior staff at DOE to develop a Cyber Incident Response Plan for integrated national response for the Energy Community. This kicked off a multi-year effort to organize internally and externally to develop a timely, coordinated, effective, and efficient Cyber Incident Management Capability for integrated national response. The capability will utilize governmental and non-governmental resources to prevent, protect, mitigate, respond, and recover from a high-impact cyber incident. 16
21 DOE s Goal Operational Energy and Resilience Steady State Understand & Communicate Threats Serve as a steady-state operations center that can monitor, receive, and analyze real-time energy threat and operations information and coordinate information sharing of that information with all Energy Sector Stakeholders Emergency Response Facilitate Return to Normal Provide Immediate Assistance During emergencies, the E-ROC facilitates the collaboration with governments, energy sector partners to include owners, operators, and associations thru the analysis and dissemination of actionable information Risk Management Engage with domestic and international partners to ensure reliability, survivability and resiliency of the Energy Sector Enhance Resilience Implement energy resilience policies and guidelines for facility owners and States (including territories and tribal) to mitigate, prepare, prevent, respond, and recover from disasters and threats that might impact energy infrastructure Provide Immediate Assistance During emergencies, deploy and coordinate with regional Federal, States (including territories and tribal) and energy infrastructure owners and operators and serve on the National I-MAT Teams Faster restoration and recovery of energy systems Cutting Edge Solutions Rapid identification of potential technical solutions, as appropriate, drive the innovation and introduction of new science and technology to the Energy Sector 21
22 DOE s PICERF Capability Segments Energy Sector-Cybersecurity Incident Management Capability Framework for People, Tools, and Processes Contain Lesson s Learned / Post-mortem / Follow-up Operations: e.g., Requirements, CONOPS, Roles, Playbook, MOUs, Areas, SLAs/Metrics, Exercises, Supply Chain, Reports Information: e.g., Data Standards, Adapters, Aggregation, Cross-domain, Variety, Velocity, Historical data Technology: e.g., Capabilities, Analytics, Lines of Communication, IM System, Portal, B2B 2014 goal: Finalize an Incident Management roadmap developed with federal partners and industry for incident response capabilities needed over the next five years
23 Energy Sector-Cybersecurity Incident Management Capability Gap Observations: Executive Summary Compliance Focus: Increased focus to response and recovery while sustaining appropriate levels of preparation and compliance Data Protection: Protection for any submitted data against regulatory or public use beyond narrowly-defined incident management Customer convenience: Mobility, ease of use, portal access, timely access to sensitive information, hours of operation Personalization of information: Based on DOE and stakeholder needs, in the desired form, and using the communications channel they d prefer Centralized reporting, wide dissemination: Elimination of redundant efforts and confusion about who and where to go for answers and resources Shared Situational Awareness: Integrated data exchange amongst stakeholders to enable effective decision-making Asset owners increase data production: Increased bi-direction data exchange with asset owners and access to their insights 23
24 Building Incident Management Capacity Playbooks & Capabilities Electricity Subsector Playbook to address a cyber attack: Part of a larger DHS-led effort to identify incident response processes in critical infrastructure sectors Collaboration between government and industry to identify responsibilities and activities Specific types of attack addressed Government and Industry Capabilities in the Electricity Subsector: Part of a larger DHS-led effort to identify incident response capabilities in critical infrastructure sectors Collaboration between government and industry to identify existing capabilities Executive-level Playbooks: ESCC directed a Senior Executive Industry Playbook that addresses all-hazards Government entities have similar playbooks for executive communications and alert levels 24 24
25 Questions? Mike Smith Senior Cyber Policy Advisor to the Assistant Secretary Department of Energy Phone:
NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH
NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH SANS ICS Security Summit March 18, 2014 Jason D. Christopher Nadya Bartol Ed Goff Agenda Background Use of Existing Tools: C2M2 Case
More informationFacilitated Self-Evaluation v1.0
Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Patricia Hoffman Facilitated Self-Evaluation v1.0 Assistant Secretary Office of Electricity Delivery and Energy Reliability U.S.
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationSmart Grid Cybersecurity Lessons Learned
Smart Grid Cybersecurity Lessons Learned Hank Kenchington Deputy Assistant Secretary From More than 11 Million Smart Meters Deployed Office of Electricity Delivery and Energy Reliability Grid Modernization:
More informationRelease of the Draft Cybersecurity Procurement Language for Energy Delivery Systems
Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationVoluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationRE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity
October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure
More informationFollowing the Energy Sector s Roadmap
Cybersecurity for Energy Delivery Systems (CEDS) R&D Following the Energy Sector s Roadmap Carol Hawk CEDS R&D Program Manager Energy Sector Cybersecurity Different Priorities Energy Delivery Control Systems
More informationWorking to Achieve Cybersecurity in the Energy Sector
Working to Achieve Cybersecurity in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Rita Wells Idaho National Laboratory Roadmap Framework for Public-Private Collaboration Published
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationCyber Security and Privacy - Program 183
Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationPanel Session: Lessons Learned in Smart Grid Cybersecurity
PNNL-SA-91587 Panel Session: Lessons Learned in Smart Grid Cybersecurity TCIPG Industry Workshop Jeff Dagle, PE Chief Electrical Engineer Advanced Power and Energy Systems Pacific Northwest National Laboratory
More informationHelp for the Developers of Control System Cyber Security Standards
INL/CON-07-13483 PREPRINT Help for the Developers of Control System Cyber Security Standards 54 th International Instrumentation Symposium Robert P. Evans May 2008 This is a preprint of a paper intended
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationU.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO
U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and
More informationCybersecurity Risk Information Sharing Program (CRISP): Bi-Directional Trust
Session ID: PNG-F01 Cybersecurity Risk Information Sharing Program (CRISP): Bi-Directional Trust Michael E. Smith Senior Cyber Policy Advisor to the Assistant Secretary, Office of Electricity Delivery
More informationIEEE-Northwest Energy Systems Symposium (NWESS)
IEEE-Northwest Energy Systems Symposium (NWESS) Paul Skare Energy & Environment Directorate Cybersecurity Program Manager Philip Craig Jr National Security Directorate Sr. Cyber Research Engineer The Pacific
More informationElectricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division
Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division James Stevens is a senior member of the technical staff
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationRisk Management in Practice A Guide for the Electric Sector
Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths
More informationTHE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, 2013. February 12, 2013
THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The
More informationNational Institute of Standards and Technology Smart Grid Cybersecurity
National Institute of Standards and Technology Smart Grid Cybersecurity Vicky Yan Pillitteri Advisor for Information Systems Security SGIP SGCC Chair Victoria.yan@nist.gov 1 The National Institute of Standards
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop
More informationRefining Security: A Case Study of Public/Private Collaboration to Further PCS Security in the Energy Sector
Refining Security: A Case Study of Public/Private Collaboration to Further PCS Security in the Energy Sector Martha Austin, Executive Director The Institute for Information Infrastructure Protection (I3P)
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationADVANCED DISTRIBUTION MANAGEMENT SYSTEMS OFFICE OF ELECTRICITY DELIVERY & ENERGY RELIABILITY SMART GRID R&D
ADVANCED DISTRIBUTION MANAGEMENT SYSTEMS OFFICE OF ELECTRICITY DELIVERY & ENERGY RELIABILITY SMART GRID R&D Eric Lightner Director Federal Smart Grid Task Force July 2015 2 OE Mission The Office of Electricity
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationHomeland Security Perspectives: Cyber Security Partnerships and Measurement Activities
16 Oct 2012 Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford Willke Cyber Security Advisor, Mid Atlantic Region National Cyber Security Division (NCSD) Office
More informationDocket No. DHS-2015-0017, Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations
Submitted via ISAO@hq.dhs.gov and www.regulations.gov July 10, 2015 Mr. Michael Echols Director, JPMO-ISAO Coordinator NPPD, Department of Homeland Security 245 Murray Lane, Mail Stop 0615 Arlington VA
More informationRoadmap to Achieve Energy Delivery Systems Cybersecurity
i Acknowledgements The Energy Sector Control Systems Working Group (ESCSWG) developed this roadmap in support of the Electricity Sub-sector Coordinating Council, Oil and Natural Gas Sector Coordinating
More informationRESEARCH CALL TO DOE/FEDERAL LABORATORIES. Cybersecurity for Energy Delivery Systems Research Call RC-CEDS-2012-02
RESEARCH CALL TO DOE/FEDERAL LABORATORIES Cybersecurity for Energy Delivery Systems Research Call RC-CEDS-2012-02 CONTACT: Diane Hooie, Project Manager TELEPHONE NUMBER: (304) 285-4524 FAX NUMBER: (304)
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationDepartment of Homeland Security Federal Government Offerings, Products, and Services
Department of Homeland Security Federal Government Offerings, Products, and Services The Department of Homeland Security (DHS) partners with the public and private sectors to improve the cybersecurity
More informationHow To Understand And Manage Cybersecurity Risk
White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary
More informationEnergy sector control centers across the nation, such as this one at Kansas City Power & Light, benefit from the system security assessments
Energy sector control centers across the nation, such as this one at Kansas City Power & Light, benefit from the system security assessments performed through National SCADA Test Bed industry partnerships.
More informationNASCIO 2014 State IT Recognition Awards
NASCIO 2014 State IT Recognition Awards Project: California Cybersecurity Task Force Category: Cybersecurity Initiatives Project Initiation Date: September, 2012 Project Completion Date: May 2013 Carlos
More informationDepartment of Homeland Security
Department of Homeland Security Cybersecurity Awareness for Colleges and Universities EDUCAUSE Live! July 24, 2014 Overview Dramatic increase in cyber intrusions, data breaches, and attacks at institutions
More informationMike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program
Cyber: The Catalyst to Transform the Security Program Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA A Common Language? Hyper Connected World Rapid IT Evolution Agile Targeted Threat
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Follow-up Audit of the Department's Cyber Security Incident Management Program DOE/IG-0878 December 2012
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationCybersecurity for Medical Devices
Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick
More informationC2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance
C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance June 18, 2015 Victoria Yan Pillitteri, National Institute of Standards & Technology (NIST) Smart Grid Cybersecurity
More informationMESSAGE FROM THE SECRETARY... ii EXECUTIVE SUMMARY... iii INTRODUCTION... 1 THE FUTURE WE SEEK... 5
TABLE OF CONTENTS MESSAGE FROM THE SECRETARY... ii EXECUTIVE SUMMARY... iii INTRODUCTION... 1 SCOPE... 2 RELATIONSHIP TO OTHER KEY POLICIES AND STRATEGIES... 3 MOTIVATION... 3 STRATEGIC ASSUMPTIONS...
More informationInfrastructure Protection Gateway
Infrastructure Protection Gateway Our Nation s critical infrastructure is essential to sustaining our security, the economy, and the American way of life. The Department of Homeland Security (DHS), National
More informationIntegrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education
Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and Healthy Students Hamed Negron-Perez,
More informationNIST Cybersecurity Initiatives. ARC World Industry Forum 2014
NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission
More informationDelving Into FCC's 'Damn Important' Cybersecurity Report
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Delving Into FCC's 'Damn Important' Cybersecurity
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationAUDIT REPORT. The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks
More informationSupplemental Tool: Executing A Critical Infrastructure Risk Management Approach
Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach Executing a Critical Infrastructure Risk Management Approach Risk is defined as the potential for an unwanted outcome resulting
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationTEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS
TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS INTRODUCTION The purpose of this document is to list the aligned with each in the Texas Homeland Security Strategic Plan 2015-2020 (THSSP).
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationWater Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary
Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary May 2007 Environmental Protection Agency Executive Summary
More informationIAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope
IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope March 6, 2014 Victoria King UPS (404) 828-6550 vking@ups.com Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationOne Hundred Thirteenth Congress of the United States of America
S. 2519 One Hundred Thirteenth Congress of the United States of America AT THE SECOND SESSION Begun held at the City of Washington on Friday, the third day of January, two thous fourteen An Act To codify
More informationS. 2519 AN ACT. To codify an existing operations center for cybersecurity.
TH CONGRESS D SESSION S. 1 AN ACT To codify an existing operations center for cybersecurity. 1 Be it enacted by the Senate and House of Representa- tives of the United States of America in Congress assembled,
More informationfuture data and infrastructure
White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal
More informationMicrosoft s cybersecurity commitment
Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade
More informationAddressing Dynamic Threats to the Electric Power Grid Through Resilience
Addressing Dynamic Threats to the Electric Power Grid Through Resilience NOVEMBER 2014 INTRODUCTION The U.S. electric power grid is an interconnected system made up of power generation, transmission, and
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationIndustry involvement in education and research - TCIPG
1 Industry involvement in education and research - TCIPG Peter W. Sauer and William H. Sanders (and the TCIPG team) IEEE/PES GM, Denver, CO July 29, 2015 Outline History and facts TCIPG Overview and Vision
More informationWorking to Achieve Cybersecurity in the Energy Sector. Cybersecurity for Energy Delivery Systems (CEDS)
Working to Achieve Cybersecurity in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Energy Sector Cybersecurity Challenges Open Protocols Open industry standard protocols are replacing
More informationWritten Statement of Richard Dewey Executive Vice President New York Independent System Operator
Written Statement of Richard Dewey Executive Vice President New York Independent System Operator Senate Standing Committee on Veterans, Homeland Security and Military Affairs Senator Thomas D. Croci, Chairman
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationSuzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA
8 th Annual Safeguarding Health Information: Building Assurance through HIPAA Security HHS Office of Civil Rights and National Institute of Standards & Technology Wednesday September 2, 2015 Suzanne B.
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationLessons from Defending Cyberspace
Lessons from Defending Cyberspace The Challenge of Addressing National Cyber Risk Andy Purdy Workshop on Cyber Security Center for American Studies, Christopher Newport College 10 28-2009 Cyber Threat
More informationRebecca Massello Energetics Incorporated
Cybersecurity Procurement Language for Energy Delivery Systems Rebecca Massello Energetics Incorporated NRECA TechAdvantage February 25, 2015 Talking Points What is this document? Who can use this document
More informationIoT & SCADA Cyber Security Services
IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087, Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 4, 60 Edward St, Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au
More informationPortal Storm: A Cyber/Business Continuity Exercise. Cyber Security Initiatives
Portal Storm: A Cyber/Business Continuity Exercise Cyber Security Initiatives Commonwealth of Pennsylvania Office of Administration Tony Encinias, Chief Information Officer Project Initiated: January 2013
More informationAccenture Cyber Security Transformation. October 2015
Accenture Cyber Security Transformation October 2015 Today s Presenter Antti Ropponen, Nordic Cyber Defense Domain Lead Accenture Nordics Antti is a leading consultant in Accenture's security consulting
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationPreventing and Defending Against Cyber Attacks November 2010
Preventing and Defending Against Cyber Attacks November 2010 The Nation s first ever Quadrennial Homeland Security Review (QHSR), delivered to Congress in February 2010, identified safeguarding and securing
More informationObtaining Enterprise Cybersituational
SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational
More informationICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center
ICS-CERT Year in Review Industrial Control Systems Cyber Emergency Response Team 2013 National Cybersecurity and Communications Integration Center What s Inside Welcome 1 National Preparedness 2 Prevention
More informationCyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record
Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications
More informationABE40. Welcome Transportation Partners
ABE40 TRB Critical Transportation Infrastructure Committee Welcome Transportation Partners Jeff Western, Principal Western Management and Consulting jeffrey.western@consultingwestern.com Agenda TRB Welcome
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced
More informationNGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;
NGA Paper Act and Adjust: A Call to Action for Governors for Cybersecurity challenges facing the nation. Although implementing policies and practices that will make state systems and data more secure will
More informationGEARS Cyber-Security Services
Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments
More informationCybersecurity for Energy Delivery Systems 2010 Peer Review. Philip A Craig Jr Pacific Northwest National Laboratory Field Device Management
Cybersecurity for Energy Delivery Systems 2010 Peer Review Alexandria, VA July 20-22, 2010 Philip A Craig Jr Pacific Northwest National Laboratory Field Device Management Summary Slide: Field Device Management
More informationThe Comprehensive National Cybersecurity Initiative
The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationRoadmaps to Securing Industrial Control Systems
Roadmaps to Securing Industrial Control Systems Insert Photo Here Mark Heard Eastman Chemical Company Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL McCormick
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More information2008 Visualization and Controls Peer Review. NSTB Program. Sam Clements Pacific Northwest National Laboratory
2008 Visualization and Controls Peer Review NSTB Program Washington, DC October 21-22, 2008 Sam Clements Pacific Northwest National Laboratory PNNL - NSTB Program Vision GRIDSTAT SECURITY EVALUATION Enterprise
More informationSCOPE. September 25, 2014, 0930 EDT
National Protection and Programs Directorate Office of Cyber and Infrastructure Analysis (OCIA) Critical Infrastructure Security and Resilience Note Critical Infrastructure Security and Resilience Note:
More information