NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Similar documents
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

DOE Cyber Security Policy Perspectives

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

How To Write A Cybersecurity Framework

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Which cybersecurity standard is most relevant for a water utility?

NIST Cybersecurity Framework. ARC World Industry Forum 2014

CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) FACILITATOR GUIDE

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Risk Management in Practice A Guide for the Electric Sector

NIST Cybersecurity Framework What It Means for Energy Companies

Buyer Beware: How To Be a Better Consumer of Security Maturity Models

Cybersecurity Framework: Current Status and Next Steps

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework

No. 33 February 19, The President

Business Continuity for Cyber Threat

PROTIVITI FLASH REPORT

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Framework for Improving Critical Infrastructure Cybersecurity

Cyber Security and Privacy - Program 183

Framework for Improving Critical Infrastructure Cybersecurity

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity for Medical Devices

Billing Code: 3510-EA

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

How To Understand And Manage Cybersecurity Risk

National Institute of Standards and Technology Smart Grid Cybersecurity

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

CForum: A Community Driven Solution to Cybersecurity Challenges

Addressing Dynamic Threats to the Electric Power Grid Through Resilience

IEEE-Northwest Energy Systems Symposium (NWESS)

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Roadmaps to Securing Industrial Control Systems

Building Security In:

NIPP Partnering for Critical Infrastructure Security and Resilience

Critical Infrastructure Security and Resilience

CONCEPTS IN CYBER SECURITY

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Rebecca Massello Energetics Incorporated

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Managing Cyber Risks to Transportation Systems. Mike Slawski Cyber Security Awareness & Outreach

Keeping the Lights On

What are you trying to secure against Cyber Attack?

NH-ISAC. Cybersecurity Resilience Securing the Infrastructures that Secure Healthcare & Public Health. The National Health ISAC

CYBER SECURITY GUIDANCE

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

INTRODUCTION TO INFORMATION TECHNOLOGY SECTOR CRITICAL INFRASTRUCTURE PROTECTION...

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Supplemental Tool: NPPD Resources to Support Vulnerability Assessments

NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW

Facilitated Self-Evaluation v1.0

Cybersecurity Enhancement Account. FY 2017 President s Budget

Building Insecurity Lisa Kaiser

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

CIPAC Water Sector Cybersecurity Strategy Workgroup: FINAL REPORT & RECOMMENDATIONS

NIST Cybersecurity Framework & A Tale of Two Criticalities

CYBERSECURITY RISK MANAGEMENT

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Transcription:

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH SANS ICS Security Summit March 18, 2014 Jason D. Christopher Nadya Bartol Ed Goff

Agenda Background Use of Existing Tools: C2M2 Case Study Next Steps for the Energy Sector: Implementation Guidance Asset owner/operator prespective 2

Strengthening Critical Infrastructure: Security and Resilience Cyber threats pose one the gravest national security dangers that the United States faces. February 12, 2014 Presidential Statement on the Cybersecurity Framework 3

February 2013: Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties

NIST Cybersecurity Framework Released February 12, 2014 Developed in partnership with asset owners and operators, academia, and US Government A risk-based cybersecurity approach composed of the following three parts: Core Profile Tiers Question: How can a sector address the Framework given the tools they currently use today? 5

Framework Components - Core FUNCTION CATEGORY SUBCATEGORY REFERENCES CORE Cybersecurity activities, desired outcomes, and common references organized under five concurrent and continuous Functions Identify, Protect, Detect, Respond, Recover 6

Framework Components - Profile PROFILE The alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing Current and Target Profiles 7

Framework Components - Tiers Tier 1 Tier 2 Tier 3 Tier 4 Partial Risk Informed Repeatable Adaptive TIERS The degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). 8

Critical Infrastructure Cyber Community Voluntary Program The C-Cubed Voluntary Program has 3 goals: First - Support increasing cyber resilience of critical infrastructure Second - Increase awareness and use of the NIST Cybersecurity Framework; And Third - Encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management www.dhs.gov/ccubedvp 9

Agenda Background Use of Existing Tools: C2M2 Case Study Next Steps for the Energy Sector: Implementation Guidance Asset owner/operator perspective 10

Introduction Since June 2012, hundreds of organizations have used the C2M2. DOE has facilitated selfevaluations for utilities servicing an estimated 39 million US consumers. Business Executives for National Security (BENS) plans to endorse C2M2 for their 400+ members, including Cisco, Amazon, Dell SecureWorks, Lockheed, etc. 11

C2M2 Program ES-C2M2 Public-private collaborative effort Sector specific subject matter expertise Pilot evaluations ONG-C2M2 Tested and refined for ONG through ONG pilot evaluations across upstream, midstream, and downstream ONG companies. C2M2 Without sector-specific references or terms of art Refined through the ONG pilots, and also via crosssector outreach 12

Goals Strengthen cybersecurity capabilities Enable consistent evaluation and benchmarking of cybersecurity capabilities Share knowledge and best practices Enable prioritized actions and cybersecurity investments If requested, DOE facilitates voluntary selfevaluations free of cost. DOE also plans to work with private sector stakeholders to develop energy sector benchmarking based on non-attributable data 13

Industry Use and Adoption DOE also performs facilitated self-evaluations: Roughly 40 completed to date, covering nearly 39 million consumers 14

The Approach: Maturity Model Maturity Model Definition: An organized way to convey a path of experience, wisdom, perfection, or acculturation. The subject of a maturity model can be an object or things, ways of doing something, characteristics of something, practices, or processes. 15

Progression Model Examples Progression for Counting Computer Calculator Adding machine Slide rule Abacus Pencil and paper Fingers Fly Progression for Human Mobility Sprint Run Jog Walk Crawl Progression for Authentication Three-factor authentication Two-factor authentication Passwords change every 60 days Strong passwords Passwords 16

Capability Model Examples Example 1 Practices are optimized Practices are quantitatively managed Practices are defined Practices are managed Practices are ad hoc Example 2 Practices are externally integrated Practices are internally integrated Practices are managed Practices are performed Practices are initiated Example 3 Practices are shared Practices are defined Practices are measured Practices are managed Practices are planned Practices are performed but ad hoc Practices are incomplete 17

WM CPM SA ISC IR EDM RM ACM IAM TVM Model Includes 10 Domains Risk Management Asset, Change, and Configuration Management Identity and Access Management Threat and Vulnerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cybersecurity Program Management Domains are logical groupings of cybersecurity practices Each domain has an acronym that cross references with the evaluation toolkit 18

Risk Management Asset, Change and Configuration Management Identity and Access Management Threat and Vulnerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cyberseacurity Program Management Maturity Indicator Levels The Model at a Glance 3 Managed 2 Performed 1 Initiated 0 Not Performed 4 Maturity Indicator Levels: Defined progressions of practices Each cell contains the defining practices for the domain at that maturity indicator level 10 Model Domains: Logical groupings of cybersecurity practices 19

Organization of a Domain Model Domain Model contains 10 domains Approach Objectives (one or more per domain) Unique to each domain Practices at MIL1 Practices at MIL2 Practices at MIL3 Approach objectives are supported by a progression of practices that are unique to the domain Management Objectives (one or more per domain) Similar in each domain Each management objective Practices at MIL2 is supported by a progression Practices at MIL3 of practices that are similar in each domain and describe institutionalization activities 20

Maturity Indicator Levels Level Name Description MIL0 Not Performed MIL1 has not been achieved in the domain MIL1 Initiated Initial practices are performed, but may be ad hoc MIL2 Performed Practices are documented Stakeholders are involved Adequate resources are provided for the practices Standards or guidelines are used to guide practice implementation Practices are more complete or advanced than at MIL1 MIL3 Managed Domain activities are guided by policy (or other directives) Activities are periodically reviewed for conformance to policy Responsibility and authority for practices are clearly assigned to personnel with adequate skills and knowledge Practices are more complete or advanced than at MIL2 21

RM Scoring Sample Summary Score There are 2 practices at MIL1 for the Risk Domain Outer ring and number(s) summarize implementation state of those practices; in this case, both practices are fully implemented 22

RM Scoring Sample Summary Score 2 practices are not implemented To achieve MIL2, requires 13 practices in total, including the 2 from MIL1 11 practices are fully implemented 23

RM Scoring Sample Summary Score 24

Report Sample Summary Score 25

Agenda Background Use of Existing Tools: C2M2 Case Study Next Steps for the Energy Sector: Implementation Guidance Asset owner/operator perspective 26

C2M2 and Framework Implementation Guidance MILs, Tiers, Profiles, and Scorecards Confused yet? Several sectors are working on Framework Guidance to remove the confusion and speak plainly regarding the use of existing tools and programs C2M2, like many other existing tools that are well-vetted with industry, act as Framework enablers for implementation. Some tools are better equipped to address the Framework than others how many standards have the concept of progressing a program or capability? C2M2 is a self-assessment methodology Like the Framework itself, any sector guidance will also be voluntary. 27

Sector Specific Agency Role Executive Order 13636 Improving Critical Infrastructure Cybersecurity Section 8(b) Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sectorspecific risks and operating environments. DOE is working with sector to develop an implementation guidance document. The guidance document will address the C2M2 and other industry approaches for framework implementation. 28

Stakeholder Engagement DEPARTMENT OF ENERGY Framework Implementation Guidance Development GUIDELINE DEVELOPMENT Electricity Subsector Coordinating Council (ESCC) / Senior Executive Work Group (SEWG) / Framework Implementation Sub-Team CROSS SECTOR COLLABORATION Transportation - TSA, Coast Guard SECTOR ENGAGEMENT EVENTS GUIDELINE DEVELOPMENT Oil & Natural Gas Subsector Coordinating Council (ONG SCC) / Cybersecurity Work Group / Framework Implementation Team PUBLIC SECTOR COLLABORATION Energy Government Coordinating Council (GCC) DHS C³ Voluntary Program White House NIST 29

Electricity Subsector - Progress DOE and the Electricity Subsector Coordinating Council (ESCC) / Senior Executives Work Group (SEWG) / Framework Guidance Sub-Team held a kick-off meeting on February 13 th, 2014 The team is currently reviewing guidance development approach, C2M2-Framework mapping and a proposed outline for the Framework Implementation Guideline document The team will meet on bi-weekly basis to support guidance development efforts. The resulting document will be used to publish a notice in the Federal Register to seek formal sector comments. 30

C2M2 and Framework Implementation Guidance There are many potential tools for addressing Framework implementation. The C2M2 is one of many such tools. For organizations that use C2M2, the Implementation Guidance will highlight the interoperability between the NIST Cybersecurity Framework and DOE s C2M2 program. For example: C2M2 Practices, which cover elements of both the Framework Core and Tier characterizations, address both sophistication of a cybersecurity program, as well as the culture, or institutionalization supporting it. C2M2 Maturity Indicator Levels (MILs), a measure of the progression within a C2M2 domain as a cybersecurity program develops, tie with elements of the Framework Tiers. Each of the domain MIL scores in the C2M2 incorporate elements of the risk management characteristics from the Tiers. C2M2 Scorecards, which highlight the level of maturity across C2M2 domains, are almost identical to the concept of Framework Profiles, both current and target. For organizations that prefer an implementation approach other than the C2M2, DOE will work with the SCCs to develop and incorporate the alternative approaches in the guidance document to satisfy the framework requirements. 31

Agenda Background Use of Existing Tools: C2M2 Case Study Next Steps for the Energy Sector: Implementation Guidance Asset owner/operator perspective 32

Asset owner/operator perspective DOE Facilitated assessment in 2013 Duke Energy adopted the ES-C2M2 model to baseline current practices and to establish desired maturity levels across the ten domains. This project involved legacy teams from Transmission, Generation, NERC Corporate Compliance, IT, and Enterprise Protective Services (physical) and included the following activities: Educated & trained project team members on the Cybersecurity Capability Maturity Model (ES-C2M2) Mapped NERC CIP Reliability Standards and Requirements to the domains in the model Assessed current maturity level of the organization (facilitated by the Department of Energy) Developed action items, prioritization & implementation plans Creating a new business case for ES-C2M2 adoption throughout the company

Asset owner/operator perspective Scope Critical infrastructure is defined in the EO as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. What does adoption mean? Adoption = DHS language any organization that uses the Framework as a part of its process to identify and manage cyber risk has adopted the Framework "provide a prioritized, flexible, repeatable, performance-based, and costeffective approach," implementation of the Framework should focus on the systems and assets essential to critical infrastructure functions. What is essential to critical infrastructure function will vary by organization.

Asset owner/operator perspective Multiple sector alignment Commercial Facilities, Chemical Communications Dams Energy (electric and oil and natural gas subsectors) Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems Chemical

Asset owner/operator perspective Some of the top tools used in the energy sector: ES-C2M2 ES-RMP NERC CIPv5 TSA Pipeline Security Guideline NIST 800-53 NIST 7628 Chemical Facility Anti-Terrorism Standards Maritime Transportation Security Act

Asset owner/operator perspective Implementation EO 13636 Sec. 8 (b): Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments Sector-Specific Agency = DOE is primary Sector Coordinating Council = Electricity Sub-Sector Coordinating Council (ESCC)

Electricity Subsector Coordinating Council (ESCC) Electricity Subsector Coordinating Council (ESCC) 30 member body to serve as the principle entity coordinating with government counterparts on planning, preparedness, resilience, and recovery issues related to national security issues affecting the electric grid Leadership (3) : 1 chair, 2 vice chairs Steering Committee (9): NIAC representative, APPA, CEA, EEI, EPSA, ISO/RTO Council, NEI, NERC, NRECA Asset Owners (18): CEOs proportionally representing asset owners from across industry segments Electricity Subsector Information Sharing and Analysis Center (ES-ISAC) Day-to-day operations run by NERC

ESCC working groups and sub teams Mechanism for industry-government coordination to prepare for and respond to national-level threats to critical infrastructure ESCC is CEO level Senior Executive Working Group (SEWG) senior executives, e.g., COOs, CIOs, CISOs SEWG Sub Teams Flow of Information Playbook Development & Incident Response Cyber Framework Implementation

ESCC SEWG Cyber Framework Implementation Sub Team Began the discussion Kick off February 28 th Implementation guidance planned to be complete in 90 days Industry need for mapping existing cybersecurity guides to the Framework to identify overlap and gaps Government prefers high-level implementation guide, which lists the key cybersecurity tools used by the sector Perhaps we can do both? Keep the implementation guidance high-level Develop more detailed maps within industry

THANK YOU For questions or feedback please contact JASON.CHRISTOPHER@HQ.DOE.GOV EDWIN.GOFF@DUKE-ENERGY.COM SAMARA_N_MOORE@NSC.EOP.GOV Nadya.bartol@utc.org 41

RESOURCES Cybersecurity Framework and supporting materials: http://www.nist.gov/itl/cyberframework.cfm NIST Computer Security Resource Center: http://csrc.nist.gov/ C3 Voluntary Program: www.dhs.gov/ccubedvp C2M2 Program: http://energy.gov/oe/cybersecurity-capability-maturitymodel-c2m2-program Cybersecurity Procurement Language for Energy Delivery Systems: https://www.controlsystemsroadmap.net/efforts/pages/cybersecurity- Procurement-Language-for-Energy-Delivery-Systems.aspx 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information