UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. Statement of Thomas F. O Brien. Vice President & Chief Information Officer



Similar documents
POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Change Management Process

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

Government of Malta. Reference: GMICT X :2014 Version: 7.0. Effective: 07 January 2014

High Level Meeting on National Drought Policy (HMNDP) CICG, Geneva March 2013

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

Internal Audit Charter and operating standards

FINANCIAL SERVICES FLASH REPORT

Solution. Industry. Challenges. Client Case Study. Legacy Systems too Costly to Maintain. Supply Chain Advantage. Delivered.

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

April 29, 2013 INTRODUCTION ORGANIZATIONAL OVERVIEW PROJECT OVERVIEW

CDE Data Governance Program - CDE-Specific and SLDS (P20+) Programs

Agenda. o Purpose of IT Assessment o Scope of IT Assessment o Deloitte Recommendations o IBM Discussions o Research Data Center o Open Season

Fraud Prevention Techniques for Higher Education

Major capital investment in councils. Good practice checklist for project managers

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

CTF-ENDORSED NF CLINICS: PRINCIPLES OF OPERATION

Health Stream Portfolio (e.g. Mental health, drug & alcohol) and Contract of Employment

Chapter 7 Business Continuity and Risk Management

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Occupational Therapy Working Group: Service Delivery review and Fee Review

Personal Data Security Breach Management Policy

LINCOLNSHIRE POLICE Policy Document

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Gravesham Borough Council

IFRS Discussion Group

Web Development the Next Steps

ITU-T T Focus Group on Identity Management (FG IdM):

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

Captive outsourcing models

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

CDC UNIFIED PROCESS PRACTICES GUIDE

Standardization or Harmonization? You need Both

A National CERT what can it do for you?

TrustED Briefing Series:

Equal Pay Audit 2014 Summary

Cross Agency Priority Goal Quarterly Progress Update

CHANGE MANAGEMENT STANDARD

MigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200

Secretariat of the Joint Forum Bank for International Settlements CH-4002 Basel, Switzerland. Dear Secretariat of the Joint Forum,

Job Classification Details Department Job Function Job Family Job Title Job Code Salary Level

PENETRATION TEST OF THE FOOD COMPUTER NETWORK

Better Practice Guide Financial Considerations for Government use of Cloud Computing

Cross Agency Priority Goal Quarterly Progress Update

CSU STANISLAUS INFORMATION TECHNOLOGY PLAN SUMMARY

Policy on Free and Open-source Software. Government Policy of Iceland

Licensing Windows Server 2012 for use with virtualization technologies

Professional Leaders/Specialists

Grant Application Writing Tips and Tricks

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Licensing Windows Server 2012 R2 for use with virtualization technologies

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

Colorado Health Benefit Exchange Board Advisory Group Selection Process, Timeline, Charters and Nominee Form

Process Improvement Center of Excellence Service Proposal Recommendation. Operational Oversight Committee Report Submission

Cyber Security Legislation Privacy Protections are Substantially Similar

Introducing the en.lighten partnership

The National Cyber Security Policy

1 Focus Area: Water & Urbanization

Information Technology Policy

Crnwall Partners in Care

Getting Started Guide

HEALTH INFORMATION EXCHANGE GRANTS CRITERIA

9 ITS Standards Specification Catalog and Testing Framework

Session 9 : Information Security and Risk

COUNTY OF SONOMA AGENDA ITEM SUMMARY REPORT

Audit Committee Charter

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd.

Key Steps for Organizations in Responding to Privacy Breaches

Guidelines for Outsourcing, Offshoring, and Cloud Services

Risk Management Policy AGL Energy Limited

(DRAFT) WISHIN DIRECT MARKETING PLAN Prepared by Kim Johnston June, 2011

LEED Rating System Development

Financial advisory and taxation services in Australia

Vulnerability Management:

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

FEEDBACK FROM THE VICTORIA QUALITY COUNCIL INTERHOSPITAL PATIENT TRANSFER WORKSHOP

Service Description Implementing Kimble Professional Services Automation

The Whole of Government Approach: Models and Tools for EGOV Strategy & Alignment

Job Profile Data & Reporting Analyst (Grant Fund)

Loss Share Data Specifications Change Management Plan

Mobile Telecom Expense Management

Projects Director Report Guidelines. IPMA Level A

RCPNC Grants for Creative Strategies and Pragtimatic Pragmatins

Environment Protection Authority

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

INFRASTRUCTURE TECHNICAL LEAD

WHITE PAPER. Vendor Managed Inventory (VMI) is Not Just for A Items

Richmond Clinical Commissioning Group Report Summary

Implementing an electronic document and records management system using SharePoint 7

Small Business, Enterprise and Employment Bill: Insolvency fact sheets Contents

How to Address Key Selection Criteria

How To Write An Itu-T Security Standards Manual

The Allstate Foundation Domestic Violence Program 2015 Moving Ahead Financial Empowerment Grant

Software and Hardware Change Management Policy for CDes Computer Labs

Transcription:

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Revised Critical Infrastructure Prtectin Reliability Standards Dcket N. RM15-14-000 Statement f Thmas F. O Brien Vice President & Chief Infrmatin Officer PJM Intercnnectin, L.L.C. January 28, 2016 1

PJM Intercnnectin is pleased t prvide these initial cmments in respnse t the Cmmissin s inquiry n the Cyber Security Supply Chain Best Practices. My cmments will address sme f the unique challenges, current PJM actins, and a set f recmmendatins t further advance the supply chain cybersecurity issues. I serve as the Vice President and Chief Infrmatin Officer fr PJM. In this rle, I versee all aspects f PJM s infrmatin technlgy and enterprise infrmatin security. My rle has been t ensure we are implementing technlgy t meet ur respnsibilities as an RTO in a secure and reliable manner. I appreciate the Cmmissin s fcus n the imprtance f supply chain cybersecurity issues. Supply chain risk is a genuine threat that needs t be carefully cnsidered and managed. The cmplexity and breadth f supply chain cybersecurity risk includes end-t-end management f the supply and distributin f hardware, firmware, system sftware, applicatin sftware and services. Effectively identifying and managing the cybersecurity risks within the supply chain is imprtant. There are clear and dcumented examples acrss several supply chains and distributin channels f embedded attacks in hardware, system sftware, applicatin sftware, and services. A risk-based apprach will drive the greatest value by ensuring that we address the highest risks first. Managing the supply chain frm a cybersecurity perspective des create sme unique challenges: The supply chain is highly distributed and des nt fall under any single regulatry jurisdictin, which ptentially culd subject hardware, sftware, and service vendrs t diverse standards frm multiple critical infrastructures and regulatry agencies: The supply chain des nt lend itself t creating the necessary cllabratin and accuntability t ensure issues are managed by thse best able t manage the risk; An ineffective regulatry prgram can create a false sense f security and divert resurces frm fcusing n activities which are mst within the custmer s cntrl; and Ineffective management f the supply chain fr addressing cybersecurity issues culd lead t increased utility csts withut a crrespnding significant benefit t the end user. Thus, it is critically imprtant that we address supply chain cybersecurity risks in an efficient and cst-effective manner PJM is addressing the cybersecurity supply chain issues that the Cmmissin has identified within the cntext f ur verall security prgram. Our prgram has advanced significantly and has demnstrated tangible benefits in terms f advancing the cybersecurity f ur systems thrugh the PJM prcurement prcess. Nevertheless, PJM recgnizes the need fr further enhancements as we manage the threats. Our cllabratin with sftware, hardware, and services vendrs has shwn that 2

as ne mves up the supply chain, cybersecurity supply chain practices are incnsistent and therefre must cntinue t evlve and imprve. By way f example, sme f PJM s current activities that are fcused n enhancing cybersecurity f ur systems thrugh ur prcurement prcess and ther internal prcesses include: Our participatin in DHS classified briefings t better understand the cybersecurity threats including supply chain threats; Mdificatins t ur vendr review prcess as part f ur prcurement prcesses t ensure that risk and cybersecurity best practices are carefully cnsidered prir t cntract apprval; Analysis f cyber and physical security cntrls fr majr vendrs f high risk systems t ensure that their internal security practices are sufficient t reduce unintentinal defects as well as intentinal infiltratin f malware and backdrs; Develpment f cmmn security requirements that will be part f ur request fr prpsal prcess and technlgy implementatins; PJM buying nly frm authrized resellers, aviding used prducts t reduce the risk f cunterfeit and tainted prducts; PJM requiring cntractrs and vendrs t underg PJM s backgrund screening prcess irrespective f the criticality f that access; Engaging third parties fr advanced security penetratin testing n an annual basis and when majr systems are released int prductin envirnments; Advanced 24x7 security event mnitring tls and cntrls t detect ptentially malicius netwrk activity that wuld result frm tainted prducts; File system mnitring fr high-risk systems t ensure that changes n file systems crrespnd t authrized changes; Establishment f a sftware management gvernance team t ensure that all sftware is authrized prir t installatin and has gne thrugh a security review; Participatin in the Cyber Risk Infrmatin Sharing Prgram (CRISP), which prvides detectin f ptentially malicius traffic that may result frm natin state infiltratin f supply chains. In light f the cmplexity, the existing disparate industry standards, the immaturity f supply chain cybersecurity practices amng vendrs, and the absence f well-established practices in supply chain cybersecurity, PJM prpses that, at this time, a directive t NERC t develp a standard in this area may nt be the best use f time and resurces t address this issue. Standard drafting is 3

smething f a cttage industry with its wn set f challenges fcused n chice f specific wrds, actin required and issues surrunding enfrcement and penalties. Getting embriled in these issues prematurely may take away frm the kind f develpment f best practices guidance and crssindustry cmmunicatin that is needed at this stage f the prcess. Accrdingly, we wuld urge the Cmmissin t cnsider ther vehicles which culd range frm use f NERC s prcess fr the develpment f Guidance Papers (a prcess which has been used by the Critical Infrastructure Prtectin Cmmittee (CIPC) which is tasked t develp, peridically review, and revise security guidelines) t mre rganized Cmmissin-spnsred cmmunicatins bth within the electric industry as well as acrss industries. 1 A similar effrt fr cmmunicatin amng regulatrs f different sectrs especially impacted by cybersecurity, such as the financial and cmmunicatin sectrs in additin t the utility sectr, wuld als help t advance supply chain cybersecurity capabilities and ensure the sharing f best practices. As a result, ur recmmended path frward is t encurage crss sectr crdinatin and cllabratin with the prviders in the technlgy industry as ppsed t diverting fcus t the drafting f a technical standard at this pint in time. On the ther hand, we d believe there is a key FERC and NERC rle at this pint in time. Presently, there are a hst f standards and publicatins that need t be better crdinated and harmnized. These include: NIST SP 800-161 - Supply Chain Risk Management Practices fr Federal Infrmatin Systems and Organizatins. ISO 20243 - Open Trusted Technlgy Prvider Standard (O-TTPS) - A standard f the Open Grup Vendrs that prvides a set f guidelines, recmmendatins and requirements that help assure against maliciusly tainted and cunterfeit prducts. Department f Energy s Cybersecurity Prcurement Language fr Energy Delivery Systems - This publicatin is a guidance dcument that prvides baseline cybersecurity prcurement language fr use by asset wners, peratrs, integratrs, and suppliers during the prcurement prcess. NIST Cyber Security Framewrk - Prvides guidance t help the energy sectr establish r align existing cybersecurity risk management prgrams t meet the bjectives f the Cybersecurity Framewrk released by the Natinal Institutes f Standards and Technlgy (NIST) in February 2014. ISO 27000 Standards Infrmatin Security Management Family f Standards. 1 The develpment f guidance dcuments in lieu f standards is specifically cntemplated in the charters f certain NERC Cmmittees including the CIPC. The full set f CIPC guidelines are available at: http://www.nerc.cm/cmm/cipc/pages/security-guidelines.aspx. 4

We wuld suggest that FERC direct NERC t develp a guidance dcument (using the existing CIPC guidance dcument prcess utlined abve) as well as gather and synthesize key data n best practices in cybersecurity prcurement as well as wrk with NIST and ther agencies t ratinalize the abve standards and publicatins int a guidance dcument that wrks fr the electric industry in light f its rle as a buyer rather than manufacturer f these prducts. This shuld include cllabratin with IT vendrs and service prviders t understand the current state and t develp a radmap fr imprving vendr cybersecurity supply chain practices. The scpe f this effrt shuld include specific recmmendatins assciated with best practices in implementatin f the abve standards in the cntext f prcurement f sftware and hardware. Fr example, the guidance culd include: cncepts n the ability t validate the authenticity f sftware and patches that are being dwnladed; review f best practices assciated with the prcurement f hardware thrugh specialized supply chains; best practices in applicatin vulnerability management; and ther specific recmmendatins based n the risk analysis. Nevertheless, althugh PJM feels this guidance prcess fcused n detailing best practices as utlined abve is a mre apprpriate first step at this pint, shuld the Cmmissin decide that it desires t mve frward with a directive t NERC t develp a binding standard at this pint, we believe that the fcus and assignment shuld be n strengthening the current CIP standards. Under this scenari, the existing standards wuld be reviewed in light f best practices that have been identified t address the supply chain risk in the areas that registered entities cntrl with respect t preventin, detectin, and resilience. Finally, we nte the passage f recent legislatin that authrizes increased cmmunicatin and cllabratin between the industry and the relevant federal agencies. We believe the passage f this lng-verdue legislatin prvides the legal authrity fr FERC, wrking with DHS and NIST, t ensure greater reprting n cyber threats t the E-ISAC and imprved tw-way cmmunicatins. These effrts shuld be fcused n : Prviding transparency t cybersecurity risks embedded in cmmnly-used critical sftware applicatins and hardware; and Engaging with ther critical infrastructures and gvernment agencies (including ther federal and state regulatrs) t ensure unity f apprach. 5

In shrt, we see this entire exercise, including this NOPR, as part f a cntinued evlutin f best practices and cllabratin acrss critical infrastructures and technlgy service prviders. At the same time, we recgnize that prtectin acrss all critical infrastructure sectrs is beynd FERC jurisdictin. As a result, it will be imperative t cntinue the brader engagement with the Department f Hmeland Security, NIST, ther critical infrastructure sectrs, technlgy prviders, and ther gvernment agencies t enhance ur management f the supply chain against cybersecurity threats. PJM stands ready t wrk with the Cmmissin, stakehlders, NERC, and thers in that prcess. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information