Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Transcription

1 Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security

2 National Institute of Standards and Technology (NIST) About NIST NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, Md and Boulder, Co NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications 2

3 Utility Cybersecurity: An International Challenge 3 Image source: %20DL/Related%20Files/BA_Bubble_Map_ jpg

4 NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

5 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 5

6 The Cybersecurity Framework Is for Organizations Of any size, in any sector in the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 6

7 Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics

8 Framework Core 8

9 Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/ regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities 9

10 How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised standards Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program 10

11 NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

12 Revised: Guidelines for Smart Grid Cybersecurity NIST Interagency Report 7628, Rev. 1, Guidelines for Smart Grid Cybersecurity, released September 2014

13 Overview of Updates to NISTIR 7628 Updates to reflect feedback from implementations and experience using the guidelines Updates on Volume 2, Privacy and the Smart Grid to reflect changing regulatory requirements New use cases: advanced metering and privacy New sections addressing: relationship between EO and smart grid guidance, cyber-physical attack, and cybersecurity testing and certification New informative references: NISTIR 7628 User s Guide, published by the Smart Grid Interoperability Panel 13

14 NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

15 Revised: Guide to Industrial Control Systems (ICS) Security Draft NIST Special Publication , Rev. 2 major updates ICS threats and vulnerabilities ICS risk management, recommended practices and architectures Current activities in ICS security Additional alignment with ICS security standards and guidelines New tailoring guidance for NIST SP , Rev. 4 security controls and overlays ICS Overlay, providing tailored security control baselines for Low, Moderate, and High impact ICS 15

16 ICS Overlay 16

17 NIST Cybersecurity Resources Framework for Improving Cri2cal Infrastructure Cybersecurity Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Cybersecurity for Cyber- Physical Systems

18 Emerging: Cybersecurity for Cyber-Physical Systems (CPS) Is a CPS any engineered system with a microprocessor? Do all CPS need to be connected to the internet? What are CPS? Are there a set of basic functions and architectural elements common to all CPS? Join the CPS Public Working Group ( to engage with other experts to chart the path to the future of CPS 18

19 NIST Cybersecurity Resources Guidelines for Smart Grid Cybersecurity Guide to Industrial Control Systems Security Public Working Group Cybersecurity Framework Industry Academia Government Cybersecurity for Cyber- Physical Systems