Rebecca Massello Energetics Incorporated

Transcription

1 Cybersecurity Procurement Language for Energy Delivery Systems Rebecca Massello Energetics Incorporated NRECA TechAdvantage February 25, 2015

2 Talking Points What is this document? Who can use this document and how? What does it cover? How was it created? 2

3 What is the Cybersecurity Procurement Language for Energy Delivery Systems? This document seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector Provides baseline cybersecurity procurement language for the acquisition of: Individual components of energy delivery systems (e.g., PLCs, relays, RTUs) Individual energy delivery systems (SCADA, EMS, DCS) Network of energy delivery systems (e.g., substation) Helps to address some of the energy sectors evolving challenges Ensures cybersecurity is considered starting with design phase (continuing through testing, manufacturing, delivery, installation, and support) Focused on what to do, not how to do it 3

4 Terms and Definitions Term Acquirer Supplier Integrator Procured Product Definition Organization acquiring/procuring the product/service Organization that enters into agreement to supply the product/service Organization that customizes components, systems, and corresponding processes for Acquirers environment; function may be performed by the Acquirer, Supplier, or independent third party Any hardware, software, firmware, component being procured; may also include support and maintenance services *See page 6 of the document 4

5 How Can This Be Used in the Procurement Process? Intended to: Help energy sector stakeholders more clearly communicate expectations and requirements Embedding cybersecurity from the beginning can help manage supply chain risks and improve transparency Inform acquirers in RFP/RFI process Provide a starting point for the procurement process Users can select areas that are most applicable to their procurements Not intended to: Be inserted verbatim into procurement contracts Replace or specify applicable IT or OT standards Document suggests some standards to consider, but not all 5

6 Who Should Use the Document? Acquirers seeking to incorporate cybersecurity into procurement process (RFP/RFI) Acquirers seeking to evaluate cyber maturity of systems and components offered by Suppliers/Integrators Suppliers who want to communicate the maturity level of their systems and components Suppliers/Integrators designing/manufacturing systems, components, services requested by Acquirers (or Integrators) Acquirers, Integrators, Suppliers negotiating procurement contracts 6

7 Procurement Language: Key Sections Language is broken into the following sections: 2.0 General Cybersecurity Procurement Language 3.0 The Suppliers Life Cycle Security Program 4.0 Intrusion Detection 5.0 Physical Security 6.0 Wireless Technologies 7.0 Cryptographic System Management 7

8 General Cybersecurity Procurement Language Generally applicable across energy delivery systems and components General terms include: Removal or disablement of unused software and services prior to delivery Account management and access control Session management, authentication, password policy, logging and auditing Communications, heart beat signals Malware detection and prevention 8

9 General Language: Access Control Example Documentation/ Verification Sample Language The Supplier shall verify and provide documentation for the procured product, attesting that unauthorized logging devices are not installed (e.g., key loggers, cameras, and microphones), as specified by the Acquirer. 9

10 The Supplier s Life Cycle Program Encourage robust products with fewer weaknesses and vulnerabilities Secure development practices include: Upfront documentation of practices and transparency of supply origin Quality assurance, quality control, testing, code reviews, timely communication Timely notification of vulnerabilities or breaches, with accompanying mitigating measures (testing/validation of patches and updates) Managing access to sensitive information Ensuring that the product is implemented as specified ICT supply chain risk management practices Maintain/ Retire Implement Design Development Life Cycle Develop Produce Deliver Store 10

11 Secure Development Practices: Notification of Vulnerabilities and Weaknesses Example Period of Applicability Sample Language For [a negotiated time period of the contract or support agreement], the Supplier shall provide appropriate software and firmware updates to remediate newly discovered vulnerabilities or weaknesses within [a negotiated time period]. Updates to remediate critical vulnerabilities shall be provided within a shorter period than other updates, within [a negotiated time period (e.g., 7, 14, or 21 days)]. If updates cannot be made available by the Supplier within these time periods, the Supplier shall provide mitigations and/or workarounds within [a negotiated time period]. 11

12 Behind the Scenes ESCSWG: Leading this effort, spearheaded by Ed Goff (Duke Energy) Pacific Northwest National Laboratory (PNNL): Assisted with the facilitation and writing Energetics Incorporated: Assisted with facilitation, coordination, and public outreach U.S. Department of Energy: Provided leadership, guidance, funding, and support to facilitate the development of this document Core Team of Technical Advisors: Volunteered significant time and expertise in advising the drafting of this first draft. Core team includes representatives from: U.S. Department of Homeland Security, Edison Electric Institute, Electric Power Research Institute, Independent Electricity System Operator Ontario, Utilities Telecom Council, American Public Power Association, American Gas Association 12

13 Two open, transparent, and formal public review cycles (November 2013 & February 2014) Engaged energy sector stakeholders from acquirer, integrator, and supplier communities 308 specific comments from 23 entities during comment periods Utility Vendor Consultant/Other Public Review Cycles Government Standards Body Public/Private WG Lots of support for this effort, demonstrating the need in this sector Some feedback beyond scope and tracked for future revisions 13

14 Procurement Aligns with Energy Sector Cybersecurity Initiatives Document Roadmap to Achieve Energy Delivery Systems Cybersecurity Cybersecurity Capability Maturity Model (C2M2) Electricity Subsector Cybersecurity Risk Management Process (RMP) NIST s Framework for Improving Critical Infrastructure Cybersecurity Alignment By 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions Consideration of supply chain issues and cybersecurity procurement are elements of the maturity model, which procurement language helps to address. Procurement language can help asset owners with their risk management process by requesting cybersecurity features prior to acquisition. Procurement language can help to identify the different categories of users and their roles in the procurement process, which is one element of this NIST framework.

15 Questions? For more information visit: Pages/es-pl.aspx questions to: 15

16 Backup Slides 16

17 Background on Procurement Language In 2009, DHS worked with control system security experts, asset owners and operators, suppliers, state and federal governments, international stakeholders Covers control systems across several sectors, including electricity, oil and natural gas, water, transportation, chemical Summarizes security principles and controls Provides example language 17

18 Why Update Procurement Language for the Energy Sector? Since 2009, the energy sector continues to evolve: New cybersecurity threats Changes in security practices and requirements Advancing technologies Asset owners, operators, and suppliers are experiencing increased pressure for meeting stringent regulatory requirements Procurement can help manage risks resulting from extended and geographically dispersed supply chains Need to build cybersecurity into solutions from the beginning Acquirers, integrators, and suppliers need to communicate expectations and requirements in a clear and repeatable manner 18

19 Managing Cyber Supply Chain Risks Procurement is part of the overall supply chain program Dialogue before contract to communicate expectations Embedding cybersecurity in procurement process helps manage supply chain risks and reduce risk of compromise: Request cybersecurity from the beginning Request transparent security practices from the beginning Encourage transparency on where sub-suppliers are located (and any changes) Agreement on appropriate time for notification of breaches/mitigating measures Transparency can help improve supply chain risk management practices Preserves system integrity; trust that only intended functions are performed and control is not lost 19

20 Sample Update: Wireless Technologies DHS (2009) has 27 pages devoted to this topic and 105 procurement language items EDS PL has one page and only 8 procurement language items DHS (2009) WIRELESS TECHNOLOGIES 1. Bluetooth 2. Wireless Closed Circuit TV 3. Radio Frequency Identification ZigBee 6. WirelessHART 7. Mobile Radios 8. Wireless Mesh Networks 9. Cellular 10. WiMAX 11. Microwave 12. Satellite EDS PL WIRELESS TECHNOLOGIES 1. General Wireless 20

21 Cryptographic System Management Cryptographic-based security systems more widely used today New section to address basic cryptographic system documentation and management capabilities Does not prescribe which type of cryptographic-based security systems are appropriate for any particular environment Does provide sample procurement language for» Cryptographic system documentation (e.g., crypto methods used, phases of key management)» Variable Cryptoperiods so crypto keys don t stay the same forever» Remote crypto key update capability (to avoid truck rolls) 21

22 Discussion Annabelle Lee, EPRI Evgeny Lebanidze, Cigital Rebecca Massello, Energetics