Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Transcription

1 Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

2 Utility cybersecurity environment is full of collaborations and influencers Governance Executive Order Public/Private DHS DOE ISACs Other UTILITY Regulatory FERC State Public Utilities Commissions NARUC NRC NERC Standards and Guidelines IEC ISA99 ISO NIST SGIP 2014 Utilities Telecom Council 2

3 Utility cybersecurity environment is full of collaborations and influencers Governance Executive Order Regulatory FERC State Public Utilities Commissions NARUC NRC NERC Public/Private DHS DOE ISACs Other Standards and Guidelines IEC ISA99 ISO NIST SGIP 2014 Utilities Telecom Council 3

4 Utility cybersecurity environment is full of collaborations and influencers Governance Executive Order Regulatory FERC State Public Utilities Commissions NARUC NRC NERC Public/Private DHS DOE ISACs Other Standards and Guidelines IEC ISA99 ISO NIST SGIP 2014 Utilities Telecom Council 4

5 Utility cybersecurity environment is full of collaborations and influencers Governance Executive Order Regulatory FERC State Public Utilities Commissions NARUC NRC NERC Public/Private DHS DOE ISACs Other Standards and Guidelines IEC ISA99 ISO NIST SGIP 2014 Utilities Telecom Council 5

6 NIST Cybersecurity Framework Final Framework published February 12, 2014 ( Developed through collaborative process with industry Current Framework is Version 1.0 and will be reviewed one year after its publication Sector-specific Framework Use Guidance is under development Department of Energy proposed to use Capability Maturity Model (ES- C2M2) for the Energy Sector (( Utilities Telecom Council 6

7 The Framework advocates a tailored risk-based approach to cybersecurity Inputs Business Priorities and risk tolerance Existing cybersecurity processes Framework Core and Implementation Tiers Current regulatory requirements and applicable standards Applying the Framework Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implement Action Plan Benefits Benchmark your current security activities Create a road map for improvement Demonstrate that you have a security program Demonstrate to your leadership that you are doing the right things 2014 Utilities Telecom Council 7

8 The Framework Core organizes existing standards and practices into a sector-agnostic structure Identify Protect Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event Utilities Telecom Council 8

9 Categories and Subcategories break down the Functions into more granular activities Framework Core Functions Categories Subcategories Informative References Identify Protect Detect Respond Recover 2014 Utilities Telecom Council 9

10 Framework Implementation Tiers help establish cybersecurity maturity Tier Risk Management Process Integrated Risk Management Program Tier 1: Partial Informal and Ad Hoc Irregular, case-bycase Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive Approved by management but not established enterprisewide Formally approved, in policy, and updated in response to changing landscape Continuous improvement. Adapts practices based on lessons learned, predictive indicators, and changing landscape Organizational awareness, processes and procedures Organization-wide approach, processes and procedures implemented and reviewed, effective risk response processes Cybersecurity risk management is part of organizational culture External Participation No processes in place Informal external information sharing Understands external dependencies and can consume information from partners Actively shares information with partners to improve before events 2014 Utilities Telecom Council 10

11 Framework Implementation DHS C 3 Program Energy Sector Communications Sector NIST Activities - Incentives Outreach to regulators and policy-makers 2014 Utilities Telecom Council 11

12 How does this relate to NERC CIP Function Category Subcategory NERC CIP v5 IDENTIFY (ID) IDENTIFY (ID) IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-1: Physical devices and systems within the organization are inventoried CIP R1: Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission stations and substations; iii. Generation resources; iv.systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements; v.special Protection Systems that support the reliable operation of the Bulk Electric System; and vi.for Distribution Providers, Protection Systems specified in Applicability section above. CIP R2: The Responsible Entity shall: (2.1) Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and; (2.2) Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1. CIP R2: Each Responsible Entity for its assets identified in CIP 002 5, Requirement R1, Part R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies,?? one or more documented cyber security policies that collectively address the following topics, and review and obtain CIP Senior Manager approval for those policies at least once every 15 calendar months: (An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required). (2.1) Cyber security awareness; (2.2) Physical security controls; (2.3) Electronic access controls for external routable protocol connections and Dial up Connectivity; and (2.4) Incident response to a Cyber Security Incident.? 2014 Utilities Telecom Council 12

13 NIST Roadmap lays the path for the future NIST will continue involvement at least through Framework 2.0 Series of workshops to address areas for development, alignment, and collaboration Privacy Engineering workshops April and September 2014 Framework 2.0 workshop 6 th Cybersecurity Framework Workshop October 29-30, 2014 Plan for transition of the framework including transition to a nongovernment organization Areas for development, alignment, and collaboration Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 2014 Utilities Telecom Council 13

14 Summary Cybersecurity Framework is a living document that helps us organize our thinking Use the Framework to facilitate discussion about cybersecurity with your stakeholders Let the community know how this is working for you The Framework will continue evolving and improving 2014 Utilities Telecom Council 14

15 Questions 2014 Utilities Telecom Council 15

16 Contact Information Nadya Bartol 2014 Utilities Telecom Council 16