Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Similar documents
Rebecca Massello Energetics Incorporated

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Following the Energy Sector s Roadmap

NICE and Framework Overview

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

IEEE-Northwest Energy Systems Symposium (NWESS)

National Initiative for Cyber Security Education

Accenture Cyber Security Transformation. October 2015

Roadmap to Achieve Energy Delivery Systems Cybersecurity

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Centers of Academic Excellence in Cyber Security (CAE-C) Knowledge Units Review

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Cisco Security Optimization Service

Gilead Clinical Operations Risk Management Program

Cyber Security and Privacy - Program 183

DOE Cyber Security Policy Perspectives

Facilitated Self-Evaluation v1.0

Cybersecurity Framework: Current Status and Next Steps

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Analysis One Code Desc. Transaction Amount. Fiscal Period

GTA Board of Directors September 4, 2014

How To Write A Cybersecurity Framework

Working Group on. First Working Group Meeting

What does it take to deliver the most technologically advanced Games ever?

How to use the National Cybersecurity Workforce Framework. Your Implementation Guide

Committee of the Whole. January 22, 2014

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Cyber Security Metrics Dashboards & Analytics

Roadmaps to Securing Industrial Control Systems

NHTSA S AUTOMOTIVE CYBERSECURITY RESEARCH. Arthur Carter, Frank Barickman, NHTSA

White Paper on Financial Industry Regulatory Climate

Enterprise Security Tactical Plan

NIST Cybersecurity Framework What It Means for Energy Companies

Enhanced Vessel Traffic Management System Booking Slots Available and Vessels Booked per Day From 12-JAN-2016 To 30-JUN-2017

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

SUMMARY PROFESSIONAL EXPERIENCE. IBM Canada, Senior Business Transformation Consultant

Public Safety and Homeland Security. National Broadband Plan Recommendations

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

How To Protect Your Network From Attack From A Network Security Threat

Actions and Recommendations (A/R) Summary

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

NERC CIP VERSION 5 COMPLIANCE

Regulatory Compliance Management for Energy and Utilities

Cybersecurity Enhancement Account. FY 2017 President s Budget

Preventing and Defending Against Cyber Attacks November 2010

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Protecting against cyber threats and security breaches

Homeland Security Grants Management Louisiana Emergency Preparedness Association (LEPA)

Microsoft s cybersecurity commitment

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Continuous compliance through good governance

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

4/1/2009. Short-termterm

AgriLife Information Technology IT General Session January 2010

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center

City & County of San Francisco Permit & Project Tracking System

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

How To Implement Itil V3

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Goldman Sachs Conference. 22 May

From: Steve Berberich, Vice President of Technology and Corporate Services and Chief Financial Officer

Cost effective methods of test environment management. Prabhu Meruga Director - Solution Engineering 16 th July SCQAA Irvine, CA

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Capabilities for Cybersecurity Resilience

Business Risk Management - Top 10 Questions to Ask

Benefits of Collaborative Science and Innovation - Improve Cyber Security

Dealing with Big Data in Cyber Intelligence

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

aecert Roadmap Eng. Mohammed Gheyath Director, Technical Affairs TRA

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Cybersecurity The role of Internal Audit

Incident Response. Proactive Incident Management. Sean Curran Director

Update On Smart Grid Cyber Security

FFIEC Cybersecurity Assessment Tool

Obtaining Enterprise Cybersituational

Middle Class Economics: Cybersecurity Updated August 7, 2015

Why you should adopt the NIST Cybersecurity Framework

State of South Carolina Policy Guidance and Training

Smart Grid Cybersecurity Lessons Learned

i Network, Inc Technology Solutions, Products & Services Providing the right information, to the right customer, at the right time.

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

Cybersecurity in the States 2012: Priorities, Issues and Trends

Roles: Scrum Master & Project Manager

Point-of-Sale (POS) Malware: Tactics and Strategies for Protecting Customer Payment Information

Information Bulletin

Submitted at:

KUDELSKI SECURITY DEFENSE.

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Transcription:

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas Sector Coordinating Council, and Government Coordinating Council for Energy October 28, 2013

Agenda Rationale Document overview Alignment with the energy sector roadmap Core team members Approach and differences Instructions for commenting Role for stakeholders Next steps

Why Procurement Language for the Energy Sector? The energy sector continues to evolve as it faces: New cybersecurity threats Changes in security practices and requirements Advancing technologies Asset owners and operators are experiencing increased pressure for meeting stringent regulatory requirements Acquirers, integrators, and suppliers need to communicate expectations and requirements in a clear and repeatable manner A number of procurement language guidance documents exist, but understanding how to effectively use them can be confusing 3

What is the Cybersecurity Procurement Language for Energy Delivery Systems? Highlights: This document seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector Provides baseline cybersecurity requirements that can be used in the procurement of energy delivery systems and components Intended to: Address current technological advancements and challenges of the energy sector Help energy sector stakeholders more clearly communicate expectations and requirements Not intended to be inserted verbatim into procurement contracts 4

Meeting the Vision of the Roadmap to Achieve Energy Delivery Systems Cybersecurity Roadmap Vision By 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions. Developed by the Energy Sector Control Systems Working Group (ESCSWG) for asset owners, operators, government, regulators, standards bodies, researchers, academia, vendors and other solution providers Synthesis of energy delivery systems security challenges, R&D needs, and implementation milestones Provides strategic framework to align activities to sector needs coordinate public and private programs stimulate investments in energy delivery systems security For more information visit: www.controlsystemsroadmap.net 5

Alignment with Roadmap Strategies 1. Build a Culture of Security 2. Assess and Monitor Risk 3. Develop and Implement New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements Near-term (0 3 yrs) 1.1 1.2 Executive engagement and support of cyber resilience efforts Industry-driven safe code development and software assurance awareness workforce training campaign launched 2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings 3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes 4.1 4.2 Tools to identify cyber events across all levels of energy delivery system networks Tools to support and implement cyber attack response decision making for the human operator 5.1 5.2 Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholders Federal and state incentives available to accelerate investment in resilient energy delivery systems Mid-term (4-7 years) 1.3 1.4 1.5 Vendor systems and components using sophisticated secure coding and software assurance practices widely available Field-proven best practices for energy delivery systems security widely employed Compelling business case developed for investment in energy delivery systems security 2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics 3.2 3.3 Scalable access control for all energy delivery system devices available Next-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented 4.3 4.4 4.5 Incident reporting guidelines accepted and implemented by each energy subsector Real-time forensics capabilities Cyber event detection tools that evolve with the dynamic threat landscape 5.3 5.4 Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining Long-term (8-10 years) 1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry 2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across cyber-physical domains 3.4 3.5 3.6 Self-configuring energy delivery system network architectures widely available Capabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutions Next-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented 4.6 4.7 Lessons learned from cyber incidents shared and implemented throughout the energy sector Capabilities for automated response to cyber incidents, including best practices for implementing these capabilities available 5.5 5.6 Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systems Mature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector

Building a Culture of Security 1. Build a Culture of Security 2. Assess and Monitor Risk 1. Build a Culture of Security 3. Develop and Implement New Protective Measures 4. Manage Incidents 5. Sustain Security Improvements Near-term (0 3 yrs) Near-term (0 3 yrs) 1.1 1.2 Executive engagement and 1.1 support of cyber resilience efforts Industry-driven safe code development and software 1.2 assurance awareness workforce training campaign launched 2.1 Common terms and measures specific to each energy subsector available for baselining security posture in operational settings Executive engagement and support of cyber resilience efforts Industry-driven safe code development and software assurance awareness workforce training campaign launched 3.1 Capabilities to evaluate the robustness and survivability of new platforms, systems, networks, architectures, policies, and other system changes 4.1 4.2 Tools to identify cyber events across all levels of energy delivery system networks Tools to support and implement cyber attack response decision making for the human operator 5.1 5.2 Cyber threats, vulnerability, mitigation strategies, and incidents timely shared among appropriate sector stakeholders Federal and state incentives available to accelerate investment in resilient energy delivery systems Mid-term (4-7 years) Long-term (8-10 years) 1.3 1.4 Mid-term (4-7 years) 1.5 Long-term (8-10 years) 1.3 Vendor systems and components using sophisticated secure coding and software assurance practices widely available available Field-proven best practices for energy delivery systems security widely employed Compelling business case employed developed for investment in energy delivery systems security 1.4 1.5 Vendor systems and components using sophisticated secure coding and software assurance practices widely 1.6 Significant increase in the number security of workers skilled in energy delivery, information systems, and cybersecurity employed by industry 2.2 Majority of asset owners baselining their security posture using energy subsector specific metrics Field-proven best practices for energy delivery systems security widely Compelling business case developed for investment in energy delivery systems 2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across 1.6 Significant increase in the number of workers skilled in energy delivery, information systems, and cybersecurity employed by industry cyber-physical domains 3.2 3.3 3.4 3.5 3.6 Scalable access control for all energy delivery system devices available Next-generation, interoperable, and upgradeable solutions for secure serial and routable communications between devices at all levels of energy delivery system networks implemented Self-configuring energy delivery system network architectures widely available Capabilities that enable security solutions to continue operation during a cyber attack available as upgrades and built-in to new security solutions Next-generation, interoperable, and upgradeable solutions for secure wireless communications between devices at all levels of energy delivery system networks implemented 4.3 4.4 4.5 4.6 4.7 Incident reporting guidelines accepted and implemented by each energy subsector Real-time forensics capabilities Cyber event detection tools that evolve with the dynamic threat landscape Lessons learned from cyber incidents shared and implemented throughout the energy sector Capabilities for automated response to cyber incidents, including best practices for implementing these capabilities available 5.3 5.4 5.5 5.6 Collaborative environments, mechanisms, and resources available for connecting security and operations researchers, vendors, and asset owners Federally funded partnerships and organizations focused on energy sector cybersecurity become self-sustaining Private sector investment surpasses Federal investment in developing cybersecurity solutions for energy delivery systems Mature, proactive processes to rapidly share threat, vulnerabilities, and mitigation strategies are implemented throughout the energy sector

Behind the Scenes ESCSWG: Leading this effort, spearheaded by Ed Goff (Duke Energy) Pacific Northwest National Laboratory (PNNL): Assisted with the facilitation and writing U.S. Department of Energy: Provided leadership, guidance, funding, and support to facilitate the development of this document Energetics Incorporated: Assisted with facilitation, coordination, and public outreach Core Team of Technical Advisors: Volunteered significant time and expertise in advising the drafting of this first draft. Core team includes representatives from: U.S. Department of Homeland Security, Edison Electric Institute, Electric Power Research Institute, Independent Electricity System Operator Ontario, Utilities Telecom Council, American Public Power Association, American Gas Association

Development Approach Providing for open, transparent, and formal public review cycles Engaging energy sector stakeholders from acquirer, integrator, and supplier communities Built on the Department of Homeland Security Cyber Security Procurement Language for Control Systems (DHS, 2009) to tailor guidance to the specific needs of the energy sector Addressed baseline cybersecurity requirements (not all-inclusive) Updated language to address technological advancements Laser focused on procurement language Focused on what to do, not how to do it Minimized redundancies Reviewed other existing documents and approaches to understand how they complement each other as well as identify gaps or opportunities to address unique energy sector challenges 9

What Is Different? The new draft document is 20% the size of the original DHS (2009) document Redundancy is minimized Near identical requirements that were presented in multiple sections are reduced Technical approaches are modernized Explanations of specific technologies have been removed Accounts for the differences in acquiring components and energy delivery systems vs.

Differences (cont) Focuses on energy sector needs Removed detailed Factory and Site Acceptance Testing and Maintenance Guidance Similar concepts are grouped together in only a few sections DHS (2009) System Hardening (with 6 sections) Perimeter Protection (3 sections) Account Management (7 sections) Coding Practices (1 section) Flaw Remediation (2 sections) Malware Detection and Protection (1 section) Host Name Resolution (1 section) End Devices (4 sections) Remote Access (6 sections) Physical Security (4 sections) Network Partitioning (2 sections) Wireless Technologies (11 sections) Draft EDS PL General Procurement Language (12 sections) Supplier s Lifecycle Security Program (6 sections) Intrusion Detection (2 sections) Physical Security (3 sections) Wireless Security (2 sections)

Sample Update Wireless Technologies DHS (2009) has 27 pages devoted to this topic and 105 procurement language items EDS PL has 2 pages and only 12 procurement language items DHS (2009) WIRELESS TECHNOLOGIES 1. Bluetooth 2. Wireless Closed Circuit TV 3. Radio Frequency Identification 4. 802.11 5. ZigBee 6. WirelessHART 7. Mobile Radios 8. Wireless Mesh Networks 9. Cellular 10. WiMAX 11. Microwave 12. Satellite Draft EDS PL WIRELESS TECHNOLOGIES 1. General Wireless 2. Specialized Wireless

Project Timeline 2013-2014 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Gap Analysis Data Collection & Synthesis Stakeholder Comment Period Nov. 6 Dec. 6 Draft PL Document & Internal Review Collect and Review Stakeholder Comments Prepare Final PL Doc Stakeholder Outreach 13

Instructions for Commenting 1. Draft will be posted on November 6. Visit: www.controlsystemsroadmap.net and see News 2. Download Draft Cybersecurity Procurement Language for Energy Delivery Systems document and supporting comment matrix 3. Submit comments by December 6 to es-pl@energetics.com

We Need Your Feedback We can t do this without your feedback! Electric/ONG: Acquirers, suppliers, integrators Need to know how this document would be helpful with your procurements and what might be missing Please share with friends and colleagues Comments due December 6 15

Next Steps Planning communication and rollout Context based supplier, acquirer, & integrator Point of contact for questions Long-term maintenance plan Future Phase: Expand on implementation guidance Coordinate with stakeholder groups to align to other existing methodologies, standards, and practices

Questions? For more information visit: https://www.controlsystemsroadmap.net/efforts/ Pages/Cybersecurity-Procurement-Language-for- Energy-Delivery-Systems.aspx 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information