RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity



Similar documents
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Why you should adopt the NIST Cybersecurity Framework

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

IEEE-Northwest Energy Systems Symposium (NWESS)

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

AURORA Vulnerability Background

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Addressing Dynamic Threats to the Electric Power Grid Through Resilience

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cybersecurity Framework: Current Status and Next Steps

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cyber Security and Privacy - Program 183

Risk Management in Practice A Guide for the Electric Sector

Regulatory Compliance Management for Energy and Utilities

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

DOE Cyber Security Policy Perspectives

Building Insecurity Lisa Kaiser

Which cybersecurity standard is most relevant for a water utility?

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Middle Class Economics: Cybersecurity Updated August 7, 2015

Rebecca Massello Energetics Incorporated

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center

How To Write A Cybersecurity Framework

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Rethinking Cyber Security for Industrial Control Systems (ICS)

Smart Grid America: Securing your network and customer data. Michael Assante Vice President and Chief Security Officer March 9, 2010

Securing the Grid. Marianne Swanson, NIST Also Moderator Akhlesh Kaushiva (AK), DOE Lisa Kaiser, DHS Leonard Chamberlin, FERC Brian Harrell, NERC

Keeping the Lights On

The NIST Cybersecurity Framework

Roadmaps to Securing Industrial Control Systems

What are you trying to secure against Cyber Attack?

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

PREPUBLICATION COPY. More Intelligent, More Effective Cybersecurity Protection

NIPP Partnering for Critical Infrastructure Security and Resilience

State Roles in Enhancing the Cybersecurity of Energy Systems and Infrastructure

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

Help for the Developers of Control System Cyber Security Standards

How To Understand And Manage Cybersecurity Risk

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Cyber security: Practical Utility Programs that Work

Cybersecurity Leadership

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Re: Request for Comments on the Preliminary Cybersecurity Framework

NIST Cybersecurity Framework What It Means for Energy Companies

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Partnership for Cyber Resilience

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Cybersecurity in the Energy/Utility Sectors

Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach

Framework for Improving Critical Infrastructure Cybersecurity

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Designing Compliant and Sustainable Security Programs 1 Introduction

CForum: A Community Driven Solution to Cybersecurity Challenges

No. 33 February 19, The President

CIPAC Water Sector Cybersecurity Strategy Workgroup: FINAL REPORT & RECOMMENDATIONS

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

NERC CIP Compliance with Security Professional Services

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Transcription:

October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity Dear Ms. Honeycutt: On behalf of our members, the American Gas Association ( AGA ), and the Edison Electric Institute ( EEI ) are pleased to submit this response to the Request for Information: Experience with the Framework for Improving Critical Infrastructure Cybersecurity, which the National Institute of Standards and Technology ( NIST ) published in the Federal Register on Tuesday, August 26, 2014. AGA, founded in 1918, represents more than 200 local energy companies that deliver clean natural gas throughout the United States. There are more than 71 million residential, commercial, and industrial natural gas customers in the U.S., of which 94 percent over 68 million customers receive their gas from AGA members. AGA is an advocate for natural gas utility companies and their customers and provides a broad range of programs and services for member natural gas pipelines, marketers, gatherers, international natural gas companies and industry associates. Today, natural gas meets more than one-fourth of the United States' energy needs. EEI is the association of the nation s shareholder-owned electric utilities and its affiliates worldwide. EEI s U.S. members serve more than 98% of the ultimate customers of electricity in the shareholder owned segment of the industry and represent about 70% of the U.S. electric power industry. Protecting the nation s electric grid and ensuring a safe and reliable supply of power is the electric power industry s top priority. Thus, managing cybersecurity risk is a top priority. We appreciate the ongoing effort by NIST to support a broad, cross-sector cybersecurity framework to reduce cybersecurity risk to critical infrastructure. The approach taken by NIST in the Framework for Improving Critical Infrastructure Cybersecurity ( Framework ) in outlining the core elements of an effective cybersecurity risk management program, and recommending that their application be tailored to reflect each organization s unique business requirements, risks, risk tolerance, and resources provides useful guidance and flexibility that is essential to risk management. Cybersecurity risk management is not new to our members Our members already use a number of sector specific standards, guidelines, and practices, which align with the Framework. Examples include the mandatory and enforceable North American Electric Reliability Critical Infrastructure Protection ( NERC CIP ) Cybersecurity Standards, the

voluntary Department of Energy ( DOE ) Electricity and Oil and Natural Gas Subsector Cybersecurity Capabilities and Maturity Models, the voluntary Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry, the Transportation Security Administration ("TSA ) Pipeline Security Guidelines, and the voluntary NIST Guidelines for Smart Grid Cyber Security (NISTIR 7628). DOE, the Department of Homeland Security ( DHS ), NERC, trade organizations, and asset owners and operators of the Energy Sector have each devoted significant resources to improving cyber risk management. DOE and industry invested over $9 billion to accelerate the introduction of newer, smarter technologies to the electricity subsector. Funding for these projects required implementation of a cybersecurity plan, including evaluation of: cyber risks and mitigation measures, cybersecurity criteria for device and vendor selection, and relevant standards or best practices. EEI s Threat Scenario Project identifies threats and practices to mitigate these threats. Identified threats included coordinated cyber attacks, as well as blended physical and cyber attacks. The project established common elements for each threat scenario, including a description, likely targets, potential threat actors, specific attack paths, and likely impacts of a successful attack. The project continues to evolve as the threat landscape changes in order to keep EEI members prepared to identify and defend against emerging cyber threats. Electric power industry representatives also helped DOE, NIST, and NERC to develop the Electricity Subsector Cybersecurity Risk Management Process to help tailor cybersecurity risk management processes to meet organizational requirements. This guideline helps utilities incorporate cybersecurity risk considerations into their existing corporate risk management processes. The AGA Cybersecurity Task Force has been actively engaged in the development of products and programs intended to strengthen the natural gas utility industry s cybersecurity posture. In particular, the Small Utility Cybersecurity Project leverages AGA s Small Member Council to advance the cybersecurity threat mitigation capabilities of small utilities through application of the Oil and Natural Gas Cybersecurity Capability Maturity Model (ONG-C2M2). Similar to EEI s Threat Scenario Project, AGA published the Natural Gas Utility Threat Analysis Elements & Mitigations Guidance. This guidance provides a template for AGA member company s cybersecurity professionals to engage their senior leadership in discussion of leading cyber-based threats to the gas utility industry. Also, recently the Downstream Natural Gas Information and Analysis Center ( DNG-ISAC ) was established to help support the information sharing interests of downstream natural gas utilities. Recognizing the shared customer base and growing interdependency between natural gas and electric power generation, the DNG-ISAC coordinates and collaborates with the Electricity Sector ISAC ( ES-ISAC ) on physical as well as cyberrelated intelligence and incident information sharing. Through this concerted effort, the vast majority of electric companies and natural gas utilities across America have improved situational awareness of the security landscape. In addition to the coordinated public-private efforts with our government partners, efforts by other organizations, including the National Association of Corporate Directors and the National Association of Regulatory Utility Commissioners have also contributed to raising executive awareness. Although the Framework did not introduce cybersecurity risk management to our members, it has helped to encourage more comprehensive and mature, enterprise-wide 2

approaches to cybersecurity. As a result, many of our members now make regular reports to their board of directors on cybersecurity posture and risk. Strong member awareness of the Framework AGA, EEI, and our members actively and consistently engaged with NIST throughout the development of the Framework, supporting the development of a flexible, voluntary tool that leverages existing cybersecurity approaches. We continue to support NIST s efforts by raising awareness of the Framework through a variety our member committees and conferences focused on cybersecurity, through the Electricity Subsector Coordinating Council ( ESCC ) and the Oil and Natural Gas Sector Coordinating Council ( ONG SCC ), and in cross-sector venues. Our awareness efforts have focused on different member functions including regulatory, business continuity, cybersecurity, risk management, and legal professionals and staffing levels including security analysts, managers, directors, and executive officers. AGA also hosted a series of webinars on control system cybersecurity and application of the ONG-C2M2. AGA is also working with small utilities to develop robust cybersecurity programs. This summer, upon member request, EEI established new information sharing and work groups focused on cybersecurity: Cybersecurity Law Group, Enterprise Risk Management Task Force, and a Supply Chain Cyber Integrity Working Group. The Electricity Subsector is also regulated and subject to mandatory and enforceable cybersecurity standards, the NERC CIP cybersecurity standards. The Federal Energy Regulatory Commission ( FERC or the Commission ) approves and enforces these standards, on which utilities are formally audited every three years. In April, the Commission held a technical conference to discuss the latest order approving version five of the mandatory cybersecurity standards. A panel during this conference discussed the functional differences between the Framework and the NERC CIP cybersecurity standards. At this conference, EEI stressed the voluntary nature of the Framework, which leverages existing cybersecurity approaches and allows flexible implementation to address specific organizational needs. 1 Experiences with the Framework are just beginning Since the NIST Cybersecurity Framework was released in February, EEI and AGA members coordinated through the ESCC, ONG SCC, and DOE, our sector-specific agency ( SSA ), to develop energy sector-specific guidance for using the Framework. The Energy Sector Cybersecurity Framework Implementation Guidance ( Implementation Guidance ) aligns existing, publicly available sector-specific cybersecurity standards, tools, and processes with the Framework so that entities can continue to or start to use these customized tools to implement the Framework. A key tool used in this guidance is the C2M2, which helps our members assess their cybersecurity capabilities and prioritize their investments to enhance cybersecurity. The Implementation Guidance is currently being finalized by DOE after a 30 day public comment period. Although our members may be waiting for the Implementation Guidance to be finalized 1 See Edison Electric Institute, Prepared Statement of Melanie Seader, Senior Cyber & Infrastructure Security Analyst (April 29, 2014), available at http://www.ferc.gov/calendarfiles/20140429091439-seader,%20eei.pdf. 3

before considering whether they have implemented the Framework, many are focused on using the C2M2, either the ES-C2M2, ONG-C2M2, or generic C2M2. AGA and EEI members are adapting various risk-based methodologies and cybersecurity approaches to implement the Framework. Some are using control-based approaches such as NIST s Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53), others are using the C2M2, and some are integrating these and other approaches. The Framework and its alignment with the C2M2 is helpful in encouraging further and more in-depth use of the C2M2 and other cybersecurity approaches. The primary use of the Framework so far has been as an internal tool to help identify strengths and opportunities for improvement of existing cybersecurity practices. However, other uses of the Framework by members include: 1. As an internal communication tool to raise cybersecurity awareness and help integrate cybersecurity risk management into enterprise risk management 2. As an external communication tool to facilitate cybersecurity discussions with domestic and international partners Initial use of the Framework introduced new challenges One challenge in developing an industry practice, such as the Implementation Guidance, is that many member utilities belong to multiple critical infrastructure sectors, including Commercial Facilities; Chemical; Communications; Dams; Energy (electricity and oil and natural gas subsectors); Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems. Members encouraged DOE to focus on the Energy Sector and work with DHS and the other SSAs to align the Implementation Guidance with other sector efforts. In addition to coordinating with government partners to develop the Implementation Guidance, DOE also developed the C2M2, a generic version of the ES-C2M2 and ONG-C2M2 2 for use in other sectors, which NIST may want to consider in efforts to improve upon the Framework. Due to interdependencies, the ESCC and ONG SCC have also begun coordinating with other critical sectors to focus on cybersecurity information sharing, tools and technologies, and incident response. AGA also chairs the Joint Cybersecurity Work Group supporting the Oil and Natural Gas, Pipeline, and Chemical Sector Coordinating Councils. Another challenge is getting suppliers to view cybersecurity as a feature of their products. EEI established a cross-function team of information technology, cybersecurity, sourcing, risk management, and legal professionals to focus on this challenge as well as cyber supply chain integrity risk. Similarly, AGA has set up a task group to address this risk. We are building upon the work of the Energy Sector Control Systems Working Group s Cybersecurity Procurement Language for Energy Delivery Systems and the Framework to increase member awareness and partner with our suppliers to improve cybersecurity and cyber supply chain integrity through procurement to build cybersecurity into systems. 2 See DOE s Cybersecurity Capability Maturity Model Program at: http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program. 4

We greatly appreciate the NIST efforts to develop the Framework, listen to and incorporate our feedback, and seek comments from stakeholders on awareness and experiences using the Framework. AGA, EEI, and our members look forward to future collaboration with NIST and our other government partners to improve the cybersecurity of critical infrastructure. Sincerely, Scott I. Aaronson Senior Director, National Security Policy Edison Electric Institute Jim Linn Managing Director, Information Technologies American Gas Association 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information